Failed to inject /data/local/tmp/re.zyg.fri/libgadget.so : dlopen failed: library "/data/local/tmp/re.zyg.fri/libgadget.so" needed or dlopened by "/vendor/lib/egl/libEGL_adreno.so" is not accessible for the namespace "sphal"

[Karanveer7921]

I am trying to use this module to inject the libgadget.so provided by the module itself.

However, I am getting error similar to issue #10

Here are the logs :

App detected: [REDACTED] Wait for process to complete init Process init completed Injecting /data/local/tmp/re.zyg.fri/libgadget.so Failed to inject /data/local/tmp/re.zyg.fri/libgadget.so : dlopen failed: library "/data/local/tmp/re.zyg.fri/libgadget.so" needed or dlopened by "/vendor/lib/egl/libEGL_adreno.so" is not accessible for the namespace "sphal"

I saw the permissions issue discussed in issue #10 , So I tried the following script (running as su)

set_perm() {
  chown $2:$3 $1 || return 1
  chmod $4 $1 || return 1
  local CON=$5
  [ -z $CON ] && CON=u:object_r:system_file:s0
  chcon $CON $1 || return 1
}

set_perm_recursive() {
  find $1 -type d 2>/dev/null | while read dir; do
    set_perm $dir $2 $3 $4 $6
  done
  find $1 -type f -o -type l 2>/dev/null | while read file; do
    set_perm $file $2 $3 $5 $6
  done
}

TMP_MODULE_DIR=/data/local/tmp/re.zyg.fri
set_perm_recursive "$TMP_MODULE_DIR" 0 0 0755 0644

After executing the script and setting the permissions, they were as follows

re.zyg.fri [drwxr-xr-x]         |-> config.json [-rw-r--r--]         |-> config.json.example [-rw-r--r--]         |-> libgadget.so [-rw-r--r--]         |-> libgadget32.so [-rw-r--r--]

I also tried giving them permissions as 777, but still same error

Device: OnePlus 7T Pro (HD1911, Android 11)

[lico-n]

OnePlus has a much stricter permission system. I already moved the config reading into the preAppSpecialize phase because another OnePlus owner previously had issues with the config. But he was able to dlopen the gadget afterwards.

Opening the gadget must remain in the postAppSpecialize phase though. This seems to affect mostly some OnePlus devices but not other vendors.

I don't really have a OnePlus on hand myself, so investigating this will be a bit difficult. Also I am not really an expert regarding android permissions. You could try to set the selinux enforcing status to permissive and check if it's a selinux issue.

[Karanveer7921]

you are using "xdl_open", I tried using "dlopen" (by building a simple zygisk module and dlopen in postAppSpecialize ) and it worked. I am very weak at c++ and android native code specially. so I dont know what made the difference. I used RTLD_NOW flag

[lico-n]

you are using "xdl_open", I tried using "dlopen" (by building a simple zygisk module and dlopen in postAppSpecialize ) and it worked. I am very weak at c++ and android native code specially. so I dont know what made the difference. I used RTLD_NOW flag

That's very interesting. I am using xdl_open mostly because it promises better compatibility across different android api levels. Also it has a few more features that I use for some personal side projects.

But if dlopen helps OnePlus device users, I would implement it as fallback and try both.

Could you try to use?

https://github.com/lico-n/ZygiskFrida/pull/21 Module Download: https://github.com/lico-n/ZygiskFrida/suites/18428303405/artifacts/1068186289

[Karanveer7921]

Yup this works!

->Something not related to this maybe: The apps in which I am trying to inject gadget (since they detect frida-server), they also detects gadget. So sadly module is not much helpful for those apps. However, overall its a great module to inject gadget into apps which detects frida-server using ptrace or other methods. But you know what, LSPosed (Xposed fork), they have a feature to hook native functions as well (they provide an api). The native lib that is built and injected into app never gets detected and is not even in /proc/[pid]/maps . I will check and try to understand their logic, that could also help to improve this module to load the gadget or any shared lib

[lico-n]

Thanks for testing, I will setup a new release with this change.

I am aware that there are still a lot of ways on how to detect frida. Some of them can get mitigated by using a patched gadget like the strongR variation but it can still be detected by some apps. The reason I still decided to create this module with frida was that frida has a great ecosystem in tools and you don't need to recompile if you want to hook something different.

https://github.com/lico-n/ZygiskUnityCriwareKeylogger for example is also using zygisk to install a hook. It avoids detection by using Dobby instead of frida which I think is also used under the hood by LSposed. I have practically no experience with LSposed though, so I will probably also take a look at that when I have some more time.

[Karanveer7921]

Some of them can get mitigated by using a patched gadget like the strongR variation but it can still be detected by some apps.

I know, I yesterday forked repo for Strong Frida, updated patches for v16.1.3 and built the binaries, but were detected as well. I even added an extra patch to rename Gadget to "Thor", i.e use frida -U -n Thor to attach. Now either I have to create a version of Frida with a lot of extra patches i.e heavily patched version or just use something else. Also I am going for Frida instead of LSPosed/Xposed since it provies easy way to hook java as well as native methods without having to recompile something.

https://github.com/lico-n/ZygiskUnityCriwareKeylogger for example is also using zygisk to install a hook. It avoids detection by using Dobby instead of frida which I think is also used under the hood by LSposed. I have practically no experience with LSposed though, so I will probably also take a look at that when I have some more time.

Thanks for this repo, I will check this out. However I have used Dobby before but main reason for Frida and Xposed is that they both help to hook native as well as Java methods very easily. According to me, whenever it comes to native hook, creating zygisk module is the best method to hook to avoid extra detections!

EDIT:- I checked the repo, even I built some modules inspired from that Zygisk-Il2CppDumper module. I used same il2cpp apis