/*
You copy 26 bytes, the remaining alignment bytes bytes are junk (not \0\0),
PTRACE_POKETEXT will write those 2 junk bytes from malloc(28)!
*/
memcpy(ptr, buf, blen);
The remote write then becomes "/data/local/tmp/libhook.so??" instead of "/data/local/tmp/libhook.so\0\0"
Finally, when the remote dlopen is called, it's looking up a bad filename and thus fails
to inject
Solution:
Use calloc() instead of malloc() (https://github.com/evilsocket/arminject/blob/master/jni/injector/traced.hpp#L144)
PS. Sometimes you'll get real lucky and malloc actually returns 0 initialized bytes in the alignment area, masking this elusive issue! ;)
Cheers!
Martin Alexander