search

darvincisec / DetectFrida

Detect Frida for Android
MIT License
665 stars 138 forks source link

can not find libnative-lib.so in /proc/self/maps , then crash #44

Open tangxianqiang opened 1 year ago

tangxianqiang commented 1 year ago

the source code ``` if ((fd = my_openat(AT_FDCWD, PROC_MAPS, O_RDONLY | O_CLOEXEC, 0)) != 0) {

    while ((read_one_line(fd, map, MAX_LINE)) > 0) {
        for (int i = 0; i < NUM_LIBS; i++) {
            if (my_strstr(map, libstocheck[i]) != NULL) {
                char tmp[MAX_LENGTH] = "";
                char path[MAX_LENGTH] = "";
                char buf[5] = "";
                sscanf(map, "%s %s %s %s %s %s", tmp, buf, tmp, tmp, tmp, path);
                if (buf[2] == 'x') {
                    size_t size = my_strlen(path) + 1;
                    filepaths[i] = malloc(size);
                    my_strlcpy(filepaths[i], path, size);
                    counter++;
                }
            }
        }
        if (counter == NUM_LIBS)
            break;
    }
    my_close(fd);
} ``` will show the different result on the same device.
tangxianqiang commented 1 year ago

I have two project. Project A and Project B. The project A return “ /data/app/~~CO_gep4LvPJ4O0K5jpDa3Q==/com.cnsgta.singpassion-rJx-gIA5vvcs_YktINesDA==/lib/arm64/libnative-lib.so ” when excute "parse_proc_maps_to_fetch_path". But the Project B does not return it on the same device. It is so so so so so weird!!!!

tangxianqiang commented 1 year ago

I don't know why the libnative-lib.so I loaded doesn't show up in /proc/self/maps, but another project does. They are all on the same device. The code is also the same.

tangxianqiang commented 1 year ago

18 If the /proc/self/proc file does not find libnative-lib.so, then there will be crash ``` for (int i = 0; i < NUM_LIBS; i++) {

    fetch_checksum_of_library(filePaths[i], &elfSectionArr[i]);
    if (filePaths[i] != NULL)
        free(filePaths[i]); //crash!!!!!!!!!!!
}
tangxianqiang commented 1 year ago

thanks for let me to commit the info, please tell me why......

tangxianqiang commented 1 year ago

I found the reason, but I don’t know how the bottom layer of Android is designed, and why adding android:extractNativeLibs="true" is enough. Will android:extractNativeLibs="true" affect the shared library information in /proc/self/maps? #18 maybe the same reason

vivek-np commented 7 months ago

@tangxianqiang are you able to figure it out and fixed this issue in your project ?

tangxianqiang commented 6 months ago

@tangxianqiang are you able to figure it out and fixed this issue in your project ?

android:extractNativeLibs="true" is ok for me.