topjohnwu / Magisk

The Magic Mask for Android
GNU General Public License v3.0
49.16k stars 12.64k forks source link

MagiskHide - issue in mount namespace hiding for isolated processes #2406

Closed kam821 closed 2 years ago

kam821 commented 4 years ago

First of all, I would like to say that I am aware of the fact that raising the issue of MagiskHide is usually irritable and I will understand if my thread will be ignored.

I recently read an article: https://darvincitech.wordpress.com/2019/11/04/detecting-magisk-hide/

It describes issue in MagiskHide mount points hiding for isolated processes - and detect Magisk by exploiting this issue.

I tested it on my own by activating MagiskHide for Brave and all subprocesses.

For every sandboxed_processX, the mount list looks like MagiskHide is off, other processes (like main/privileged_processX) are property hidden.

Main process - mountstats: https://pastebin.com/6t1p1wxs

Sandboxed_process - mountstats: https://pastebin.com/YasyF3tV

Magisk/Magisk Manager: 20.4-ed58cf95. Xiaomi Mi 8 / Android 10 / xiaomi.eu 20.1.21

Regards.

Kovur commented 4 years ago

Well, it's not in Russian, it's in Ukrainian, stop misinforming people please, English community thinks Ukraine is part of Russia because of that.

Sorry, but you wrong. I found that post about detection details on 4pda forum. The post is in Russian language, so I've translated it for everyone. That's all.

sTiKyt commented 4 years ago

Well, it's not in Russian, it's in Ukrainian, stop misinforming people please, English community thinks Ukraine is part of Russia because of that.

Sorry, but you wrong. I found that post about detection details on 4pda forum. The post is in Russian language, so I've translated it for everyone. That's all.

I misunderstood it, I was thinking you are referring to app description on play store or something…

jh0bc commented 3 years ago

My bank app "C6 Bank" appears to be using this exploit to detect root even with hide + package rename

https://play.google.com/store/apps/details?id=com.c6bank.app

I'm using latest Magisk Canary on my Mi 9T Pro

Edit: On manifest file have a declaration of an isolated process "hj.Oj"

Edit 2: Maybe we will have great news soon https://github.com/topjohnwu/Magisk/commit/8e61080a4a80396e57c2ef9ddc02f068b66a4fe3

vvb2060 commented 3 years ago

https://github.com/vvb2060/Magisk/commit/ed3fb0cf32d691f94e45d3ed90f7e453175c28b7 need Android 11+

wiidev commented 3 years ago

With the canary build installed Sky Go can still detect root, despite magisk detecting the isolated process and hiding everything.

hide_list add: [isolated/com.bskyb.skygo:vgdrm_helper:com.nds.vgdrm.impl.generic.VGDRMHelperService] hide_list add: [com.bskyb.skygo/com.bskyb.skygo]

2021-01-16

They updated their lib/drm last year and now it circumvents MagiskHide and detects /sbin/su. I know that because if I launch a file manager with root and temporarily rename the su binary then Sky Go lets me watch live TV and movies again.

jh0bc commented 3 years ago

With the canary build installed Sky Go can still detect root, despite magisk detecting the isolated process and hiding everything.

hide_list add: [isolated/com.bskyb.skygo:vgdrm_helper:com.nds.vgdrm.impl.generic.VGDRMHelperService] hide_list add: [com.bskyb.skygo/com.bskyb.skygo]

2021-01-16

They updated their lib/drm last year and now it circumvents MagiskHide and detects /sbin/su. I know that because if I launch a file manager with root and temporarily rename the su binary then Sky Go lets me watch live TV and movies again.

I think this feature (hiddind root from isolated process) is not yet fully implemented

febryanasaperdana commented 3 years ago

Anyone can confirm magiskhide now successfully hides root from isolated process?

Pada tanggal Sen, 18 Jan 2021 00.28, jh0bc notifications@github.com menulis:

With the canary build installed Sky Go can still detect root, despite magisk detecting the isolated process and hiding everything.

hide_list add: [isolated/com.bskyb.skygo:vgdrm_helper:com.nds.vgdrm.impl.generic.VGDRMHelperService] hide_list add: [com.bskyb.skygo/com.bskyb.skygo]

[image: 2021-01-16] https://user-images.githubusercontent.com/54548942/104815891-6f4cf400-580f-11eb-9d84-f1340fada49d.png

They updated their lib/drm last year and now it circumvents MagiskHide and detects /sbin/su. I know that because if I launch a file manager with root and temporarily rename the su binary then Sky Go lets me watch live TV and movies again.

I think this feature (hiddind root from isolated process) is not yet fully implemented

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/topjohnwu/Magisk/issues/2406#issuecomment-761848027, or unsubscribe https://github.com/notifications/unsubscribe-auth/AI2MEN5TVUMGX4SOWHQO32LS2MM3VANCNFSM4KQZJLQQ .

wiidev commented 3 years ago

I think this feature (hiddind root from isolated process) is not yet fully implemented

It looks like it should be functioning, but maybe there's still issues that need to be worked out.

I do see this in the log...

proc_monitor: [com.bskyb.skygo] PID=[14355] UID=[10320] hide: handling PID=[14355] hide: Unmounted (/system/xbin) hide: Unmounted (/system/lib64) hide: Unmounted (/system/lib) hide: Unmounted (/system/app) hide: Unmounted (/sbin) hide: Unmounted (/system/etc/hosts)

But there's no mention of the isolated process other than it being added to the hide list.

i1itione commented 3 years ago

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Download: https://github.com/vvb2060/magisk_files Source code: https://github.com/vvb2060/Magisk Before installation, all modules must be disabled/removed!! Then, you can only use Magisk Lite's Magisk Manager.

Test detection app: https://github.com/vvb2060/MagiskDetector/releases/latest

Does Magisk Lite's Magisk Manager support hiding itself via repack/rename? I tried the hide manager option in settings, but it seems doesn't work.

EDIT: It works, but download speed is slow (60 KB/s ~ 80 KB/s) when hiding.

david8557 commented 3 years ago

I have a Magisk branch that solves this problem. Magisk Lite only has SU and no Magisk module function. If your banking apps detected Magisk, and you don't use Magisk module, you can try this branch.

Download: https://github.com/vvb2060/magisk_files Source code: https://github.com/vvb2060/Magisk Before installation, all modules must be disabled/removed!! Then, you can only use Magisk Lite's Magisk Manager.

Test detection app: https://github.com/vvb2060/MagiskDetector/releases/latest

Is there anyway we can use Riru Module with your Magisk?

soredake commented 3 years ago

https://github.com/topjohnwu/Magisk/commit/5e56a6bbeec8ea67a58f32479d71fab13e676af6

vvb2060 commented 3 years ago

https://github.com/vvb2060/riru-unshare/actions riru module, enable enhanced mode for Magisk Hide, allow Magisk Hide to handle isolated processes. !!need 5e56a6b !!

cibai7181 commented 3 years ago

Hi, my app suddenly detect my rooted device and it is not functioning anymore.

I tested MagiskDetector and found out Magisk Hide is not working. I tried termux SU, nagiskhide disable, Magiskhide enable. Toggle Off MagiskHide button, restart. Toggle On MagiskHide button.

Still showing Magisk Hide is not working in detector.

Please kindly suggest solution and assist, thank you.

Screenshot_20210302-114802 Screenshot_20210302-114808 Screenshot_20210302-114818 Screenshot_20210302-114839 Screenshot_20210302-114850

jh0bc commented 3 years ago

https://github.com/vvb2060/riru-unshare/actions riru module, enable enhanced mode for Magisk Hide, allow Magisk Hide to handle isolated processes. !!need 5e56a6b !!

Just a little feedback

Flashed latest Canary (22002) + Riru Core (v. 23.9) + Riru Unshare Module and boom!

Now Magisk fully hide from any root detection! Including Isolated Process 😏

Many thanks my friend! 😁😁😁

redmare27 commented 3 years ago

@jh0bc can you guide me on how to install riru unshare module? I have searched on magisk manager module, but I can't get it

jh0bc commented 3 years ago

@jh0bc can you guide me on how to install riru unshare module? I have searched on magisk manager module, but I can't get it

Flash latest Magisk Canary

Install the Riru core module v. 23.9 from Magisk repo.

Now download the zip from the link below:

https://github.com/vvb2060/riru-unshare/releases

Flash the zip trough Magisk Manager

Enable Magisk Hide for the app including their isolated process (if you don't know what is the correct one just mark all)

Enjoy! ;)

Karanveer7921 commented 3 years ago

I successfully bypassed root detection using this method !!!

Thanks buddy 😀

Now I have some doubts :-

I was using a edxposed module before to bypass some other detections like usb debugging , developer options enabled or not ,etc .. I don't want to disable these settings while app is running

I have another fix for these settings without xposed but I need my exposed module working for that app for some other hooks

But now the problem is : after hiding, my xposed module doesn't work ( it doesn't trigger loadPackage)

So what I have assumed , magisk hidden apps can't use xposed coz thats also may be a workaround to check root using stack trace or something (just assumption , definately there would be other reasons )

At last my question is , can I somehow use xposed module on app which has magisk hide on ?

I know java and android so I was capable of building my own xposed but not magisk modules , but just imagine if I was able to build magisk modules , then can there be a solution to fake that Settings ?? Coz I think magisk hide unmounts all that redirected/fake paths for that app n it means we can't use fake props for that app ??

What I need is either make xposed work or magisk module that may do this ..

Before that main question is , Is that possible ?

TheOnlyZii commented 3 years ago

https://github.com/vvb2060/riru-unshare/actions riru module, enable enhanced mode for Magisk Hide, allow Magisk Hide to handle isolated processes. !!need 5e56a6b !!

Hello Thanks for the Extension it was working great as indented until just yesterday one of my bank mobile app decided to push and update and it started detecting root again. i also noticed that it has 2 processes in magic hide but one of the process i cant seem to enable magisk hide on. everytime i put a check on it go back to menu and open magisk hide again it keep unchecking it self. Im not a dev, im just reporting this issue for now maybe someone will have a workaround

Here is the app if anyone is curious https://play.google.com/store/apps/details?id=com.bankmandiri.mandirionline&hl=en&gl=US

vvb2060 commented 3 years ago

@TheOnlyZii https://github.com/topjohnwu/Magisk/pull/4056/commits/5f0623332eb7331da34c30b77797514efcad7051

emirefek commented 3 years ago

@TheOnlyZii https://github.com/topjohnwu/Magisk/pull/4056/commits/5f0623332eb7331da34c30b77797514efcad7051

What this URL means? I'm also having problem while hiding root. My phone is OnePlus8Pro (Android 11+ Riru-unshare + Safetynet passed) installed. If you are interested My banking app (Yapı Kredi Mobil)

And I'm going to share my own story about it, If you someone want any logs or infos about this spesific root detection method I free I can share everything with some dev:

Device: OnePlus 8 Pro / OOS11_OB7(Android 11) / Magisk Canary (f152b4c2,22005) / Kernel( Omega & Official stock both tried. )

Installed Magisk Modules: "ADB&Fastboot for Android NDK / MagiskHide Props Config / OOS Native Call Recording Enabler / Systemless Host / Riru / Riru - Enchand mode for Magisk Hide / Riru - LSPosed"

LSPosed modules: xPrivacyLua (Disabled app listing for Yapıkredi Mobil)

About the app: "Yapı Kredi Mobil" it is a well known Turkish bank. Google Play URL

SafetyNet is passed, "Rootbeer Sample" app is passing all tests. Root is obtained with boot.img patching method, No custom Recoveries. There is no root related apps, magisk app is repacked with random name. I tried this xPrivacyLua method from here. App crashes when I enable "use tracking" checkbox. Not worked. Then I tried Riru-unshare method. Also failed. Tried vvb2060/MagiskDedector and it says "init.rc has been modified by Magisk" this app also can detect root." In every process I made. I rebooted and cleared cache. FYI I can install Netflix in Google Play.

I tried App made by VD171@xda-forum called "VD Infos xda page" and app given this output to me. Output:

---------------------------------------
-> Quantities
Total Time: 23 minutes and 57 seconds.
Total of tries: 6,062,778.
Total found: 4.
* Emulator detected.
---------------------------------------
-> ROOT
#1. [* EMULATOR]: [ro.kernel.qemu.gles]: 0
#2. [Found]: /system/lib/libsigchain.so
#3. [Found]: /system/lib64/libsigchain.so
#4. [Found]: com.dolby.daxservice.DaxApplication
---------------------------------------

If it is not releated or is my bad I'm sorry I can delete my comment after that. Thanks.

TheOnlyZii commented 3 years ago

@emirefek for my particular case the fix is already been made just need to be implemented in the next releases by the dev

im not a dev i cant comment about your issue. im just putting mine for awareness

Mark-Joy commented 3 years ago

Hi All, Currently, is there a way to hide "Magisk su processes"? IMG_20210415_050140

sTiKyt commented 3 years ago

Hi, my app suddenly detect my rooted device and it is not functioning anymore.

I tested MagiskDetector and found out Magisk Hide is not working. I tried termux SU, nagiskhide disable, Magiskhide enable. Toggle Off MagiskHide button, restart. Toggle On MagiskHide button.

Still showing Magisk Hide is not working in detector.

Please kindly suggest solution and assist, thank you.

You realize your screenshots are taking too much space?

osm0sis commented 3 years ago

I imagine this is resolved with MagiskHide's replacement with DenyList, which is powered by Zygisk? Try again in 23013.

osm0sis commented 3 years ago

@vvb2060 I also see the init.rc modification detection is the only Magisk Detector test which fails on 23013 on modern devices/Android with DenyList. Any fix for that?

vvb2060 commented 3 years ago

@osm0sis Magisk Detector has been archived, I am currently working on momo: https://www.coolapk.com/apk/io.github.vvb2060.mahoshojo

vvb2060 commented 2 years ago

MagiskHide has been removed