├── .gitignore ├── CMakeLists.txt ├── LICENSE ├── NullElf ├── CMakeLists.txt ├── include │ └── nullelf.h └── src │ └── nullelf.cpp ├── NullTrace ├── CMakeLists.txt ├── include │ ├── nullproc.h │ ├── nullutils.h │ └── pnull.h └── src │ ├── nullproc.cpp │ ├── nullutils.cpp │ └── pnull.cpp ├── README.md ├── build.bat ├── build.sh ├── build_out ├── arm64-v8a │ └── NullTrace-Injector ├── armeabi-v7a │ └── NullTrace-Injector ├── x86 │ └── NullTrace-Injector └── x86_64 │ └── NullTrace-Injector ├── main.cpp └── nulltrace-demo.png /.gitignore: -------------------------------------------------------------------------------- 1 | # Gradle files 2 | .gradle/ 3 | build/ 4 | 5 | # Local configuration file (sdk path, etc) 6 | local.properties 7 | 8 | # Log/OS Files 9 | *.log 10 | 11 | # Android Studio generated files and folders 12 | captures/ 13 | .externalNativeBuild/ 14 | .cxx/ 15 | *.apk 16 | output.json 17 | 18 | # IntelliJ 19 | *.iml 20 | .idea/ 21 | misc.xml 22 | deploymentTargetDropDown.xml 23 | render.experimental.xml 24 | 25 | # Keystore files 26 | *.jks 27 | *.keystore 28 | 29 | # Google Services (e.g. APIs or Firebase) 30 | google-services.json 31 | 32 | # Android Profiling 33 | *.hprof 34 | 35 | CMakeLists.txt.user 36 | CMakeCache.txt 37 | CMakeFiles 38 | CMakeScripts 39 | Testing 40 | Makefile 41 | cmake_install.cmake 42 | install_manifest.txt 43 | compile_commands.json 44 | CTestTestfile.cmake 45 | _deps 46 | 47 | adb_push.bat 48 | -------------------------------------------------------------------------------- /CMakeLists.txt: -------------------------------------------------------------------------------- 1 | cmake_minimum_required(VERSION 3.5) 2 | 3 | set(CMAKE_SYSTEM_NAME ANDROID) 4 | set(CMAKE_SYSTEM_VERSION 29) 5 | set(ANDROID_PLATFORM 29) 6 | 7 | set(ANDROID_NDK $ENV{NDK}) 8 | set(CMAKE_TOOLCHAIN_FILE $ENV{NDK}/build/cmake/android.toolchain.cmake) 9 | 10 | project("NullTrace-Android-Injector" VERSION 1.0) 11 | 12 | set(CMAKE_CXX_STANDARD 20) 13 | set(CMAKE_CXX_FLAGS "-fno-rtti -O3") 14 | set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_SOURCE_DIR}/build_out/${CMAKE_ANDROID_ARCH_ABI}) 15 | 16 | include_directories(${CMAKE_SOURCE_DIR}) 17 | 18 | add_subdirectory(NullElf) 19 | add_subdirectory(NullTrace) 20 | 21 | add_executable(NullTrace-Injector main.cpp) 22 | target_link_libraries(NullTrace-Injector NullElf NullTrace) 23 | 24 | 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NullElf/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | FILE(GLOB_RECURSE INCLUDES ${CMAKE_CURRENT_SOURCE_DIR}/*.h*) 3 | 4 | include_directories(${CMAKE_CURRENT_SOURCE_DIR}/include) 5 | 6 | FILE(GLOB_RECURSE SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/*.c* ${CMAKE_CURRENT_SOURCE_DIR}/*.cpp*) 7 | 8 | add_library(NullElf STATIC ${INCLUDES} ${SOURCES}) 9 | -------------------------------------------------------------------------------- /NullElf/include/nullelf.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | namespace NullElf { 13 | enum Architecture{EAARCH64, EARM, EI386, EX86_64}; 14 | enum SymbolResMode{DEFAULT, CONTAINS}; 15 | 16 | uintptr_t getAddrSym(const char* path, const char* symbol, SymbolResMode mode = DEFAULT); 17 | 18 | int getLibraryArch(const char* path); 19 | 20 | } 21 | 22 | namespace NullElfUtils { 23 | 24 | 25 | template 26 | int getArch(char* data) { 27 | Elf_Ehdr* ehdr = reinterpret_cast(data); 28 | int arch = -1; 29 | switch(ehdr->e_machine) { 30 | case EM_AARCH64: 31 | arch = NullElf::EAARCH64; 32 | break; 33 | case EM_ARM: 34 | arch = NullElf::EARM; 35 | break; 36 | case EM_386: 37 | arch = NullElf::EI386; 38 | break; 39 | case EM_X86_64: 40 | arch = NullElf::EX86_64; 41 | break; 42 | default: 43 | arch = -3; 44 | break; 45 | } 46 | return arch; 47 | } 48 | 49 | template 50 | uintptr_t searchSymbolTable(char* data, const char* symbol, NullElf::SymbolResMode mode) { 51 | Elf_Ehdr* ehdr = reinterpret_cast(data); 52 | Elf_Shdr* shdr = reinterpret_cast(data + ehdr->e_shoff); 53 | Elf_Shdr* sh_strtable = &shdr[ehdr->e_shstrndx]; 54 | const char* sh_strtable_p = data + sh_strtable->sh_offset; 55 | 56 | Elf_Shdr* symtab_shdr = nullptr; 57 | const char* strtable = nullptr; 58 | for(int i = 0; i < ehdr->e_shnum; i++) { 59 | if(shdr[i].sh_type == SHT_DYNSYM) { 60 | symtab_shdr = &shdr[i]; 61 | strtable = data + shdr[symtab_shdr->sh_link].sh_offset; 62 | break; 63 | } 64 | } 65 | if(symtab_shdr == nullptr) { 66 | std::cerr << "[NullElf] failed to find symbol table\n"; 67 | return 0; 68 | } 69 | 70 | Elf_Sym* symbols = reinterpret_cast(data + symtab_shdr->sh_offset); 71 | int symCount = symtab_shdr->sh_size / symtab_shdr->sh_entsize; 72 | for(int i = 0; i < symCount; i++) { 73 | switch(mode) { 74 | case NullElf::DEFAULT: 75 | if (std::strcmp(symbol, strtable + symbols[i].st_name) == 0) { 76 | return (uintptr_t) (symbols[i].st_value); 77 | } 78 | break; 79 | case NullElf::CONTAINS: 80 | if (std::strstr(strtable + symbols[i].st_name, symbol) != nullptr) { 81 | return (uintptr_t) (symbols[i].st_value); 82 | } 83 | break; 84 | } 85 | } 86 | 87 | std::cerr << "[NullElf] " << symbol <<" not found\n"; 88 | 89 | return 0; 90 | } 91 | 92 | 93 | } 94 | -------------------------------------------------------------------------------- /NullElf/src/nullelf.cpp: -------------------------------------------------------------------------------- 1 | #include "nullelf.h" 2 | 3 | uintptr_t NullElf::getAddrSym(const char* path, const char* symbol, SymbolResMode mode) { 4 | int fd = open(path, O_RDONLY); 5 | if(fd < 0) { 6 | std::cerr << "[NullElf] failed opening file\n"; 7 | return 0; 8 | } 9 | 10 | struct stat sb; 11 | if(fstat(fd, &sb) < 0) { 12 | std::cerr << "[NullElf] failed getting file size\n"; 13 | return 0; 14 | } 15 | 16 | char* data = reinterpret_cast(mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0)); 17 | if(data == MAP_FAILED) { 18 | std::cerr << "[NullElf] failed mapping file\n"; 19 | return 0; 20 | } 21 | 22 | unsigned char e_ident[EI_NIDENT]; 23 | 24 | if(read(fd, &e_ident, EI_NIDENT) != EI_NIDENT) { 25 | std::cerr << "[NullElf] failed to read ELF ID\n"; 26 | if(munmap(data, sb.st_size) == -1) 27 | std::cerr << "[NullElf] failed to unmap memory\n"; 28 | return 0; 29 | } 30 | 31 | close(fd); 32 | 33 | if(e_ident[EI_CLASS] == ELFCLASS32) { 34 | uintptr_t address = NullElfUtils::searchSymbolTable(data, symbol, mode); 35 | 36 | if(munmap(data, sb.st_size) == -1) 37 | std::cerr << "[NullElf] failed to unmap memory\n"; 38 | 39 | return address; 40 | } 41 | else if(e_ident[EI_CLASS] == ELFCLASS64) { 42 | uintptr_t address = NullElfUtils::searchSymbolTable(data, symbol, mode); 43 | 44 | if(munmap(data, sb.st_size) == -1) 45 | std::cerr << "[NullElf] failed to unmap memory\n"; 46 | 47 | return address; 48 | } 49 | else { 50 | std::cerr << "[NullElf] unknown ELF class\n"; 51 | if(munmap(data, sb.st_size) == -1) 52 | std::cerr << "[NullElf] failed to unmap memory\n"; 53 | return 0; 54 | } 55 | } 56 | 57 | int NullElf::getLibraryArch(const char* path) { 58 | int fd = open(path, O_RDONLY); 59 | if(fd < 0) { 60 | std::cerr << "[NullElf] failed opening file\n"; 61 | return -1; 62 | } 63 | 64 | struct stat sb; 65 | if(fstat(fd, &sb) < 0) { 66 | std::cerr << "[NullElf] failed getting file size\n"; 67 | return -1; 68 | } 69 | 70 | char* data = reinterpret_cast(mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0)); 71 | if(data == MAP_FAILED) { 72 | std::cerr << "[NullElf] failed mapping file\n"; 73 | return -1; 74 | } 75 | 76 | unsigned char e_ident[EI_NIDENT]; 77 | 78 | if(read(fd, &e_ident, EI_NIDENT) != EI_NIDENT) { 79 | std::cerr << "[NullElf] failed to read ELF ID\n"; 80 | if(munmap(data, sb.st_size) == -1) 81 | std::cerr << "[NullElf] failed to unmap memory\n"; 82 | return 0; 83 | } 84 | 85 | close(fd); 86 | 87 | if(e_ident[EI_CLASS] == ELFCLASS32) { 88 | int arch; 89 | if((arch = NullElfUtils::getArch(data) ) < 0) { 90 | std::cerr << "[NullElf] failed to get Arch\n"; 91 | if(munmap(data, sb.st_size) == -1) 92 | std::cerr << "[NullElf] failed to unmap memory\n"; 93 | return -1; 94 | } 95 | if(munmap(data, sb.st_size) == -1) 96 | std::cerr << "[NullElf] failed to unmap memory\n"; 97 | return arch; 98 | 99 | } 100 | else if(e_ident[EI_CLASS] == ELFCLASS64) { 101 | int arch; 102 | if((arch = NullElfUtils::getArch(data) ) < 0) { 103 | std::cerr << "[NullElf] failed to get Arch\n"; 104 | if(munmap(data, sb.st_size) == -1) 105 | std::cerr << "[NullElf] failed to unmap memory\n"; 106 | return -1; 107 | } 108 | if(munmap(data, sb.st_size) == -1) 109 | std::cerr << "[NullElf] failed to unmap memory\n"; 110 | return arch; 111 | } 112 | else { 113 | std::cerr << "[NullElf] unknown ELF class\n"; 114 | if(munmap(data, sb.st_size) == -1) 115 | std::cerr << "[NullElf] failed to unmap memory\n"; 116 | return -1; 117 | } 118 | 119 | } 120 | 121 | 122 | -------------------------------------------------------------------------------- /NullTrace/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | 2 | FILE(GLOB_RECURSE INCLUDES ${CMAKE_CURRENT_SOURCE_DIR}/*.h*) 3 | 4 | include_directories(${CMAKE_CURRENT_SOURCE_DIR}/include) 5 | 6 | FILE(GLOB_RECURSE SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/*.c* ${CMAKE_CURRENT_SOURCE_DIR}/*.cpp*) 7 | 8 | add_library(NullTrace STATIC ${INCLUDES} ${SOURCES}) -------------------------------------------------------------------------------- /NullTrace/include/nullproc.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #include "nullutils.h" 16 | #include "pnull.h" 17 | #include "NullElf/include/nullelf.h" 18 | 19 | namespace NullProcess { 20 | 21 | constexpr int READ = 0x01; 22 | constexpr int WRITE = 0x02; 23 | constexpr int EXECUTE = 0x04; 24 | 25 | typedef struct { 26 | uintptr_t start; 27 | uintptr_t end; 28 | size_t length; 29 | char perms; 30 | uintptr_t offset; 31 | std::string device; 32 | int inode; 33 | std::string pathName; 34 | int arch; 35 | } Map; 36 | 37 | 38 | typedef struct { 39 | uintptr_t remote_malloc; 40 | uintptr_t remote_free; 41 | uintptr_t remote_mmap; 42 | } Libc; 43 | 44 | typedef struct { 45 | uintptr_t remote_dlopen; 46 | uintptr_t remote_dlerror; 47 | uintptr_t remote_dlsym; 48 | 49 | } Libdl; 50 | 51 | 52 | typedef struct { 53 | uintptr_t remote_loadLibrary; 54 | uintptr_t remote_loadLibraryExt; 55 | uintptr_t remote_getTrampoline; 56 | uintptr_t remote_getError; 57 | 58 | } Libnativebridge; 59 | 60 | typedef struct { 61 | bool usesCallbacksPtr; 62 | bool nativeBridgeActive; 63 | } NbInfo; 64 | 65 | class Process { 66 | private: 67 | std::string pkgName; 68 | pid_t pid; 69 | std::vector maps; 70 | NullProcess::Libdl libdl{}; 71 | NullProcess::Libc libc{}; 72 | NullProcess::Libnativebridge libnativebridge{}; 73 | NullUtils::NativeBridgeCallbacks nbCallbacks{}; 74 | NullProcess::NbInfo nbInfo{}; 75 | 76 | static std::vector getMaps(const pid_t &pid); 77 | 78 | static NullProcess::Map parseMap(const std::string &line); 79 | 80 | static bool processExists(pid_t pid); 81 | 82 | void locateSymbols(); 83 | 84 | bool injectLibNB(void* pathAddr, uintptr_t libLR_base); 85 | 86 | void* remoteString(std::string str); 87 | 88 | NullProcess::Map findMap(std::string mapname); 89 | 90 | public: 91 | Process(); 92 | 93 | bool setProcByName(const std::string& pkg); 94 | 95 | bool setProcByPid(pid_t procID); 96 | 97 | bool writeProcessMemory(std::string hex, uintptr_t address); 98 | 99 | std::string readProcessMemory(uintptr_t address, size_t len); 100 | 101 | bool injectLibrary(std::string path); 102 | 103 | 104 | template 105 | RetT call(uintptr_t address, Args... args) { 106 | std::vector argVec = {NullUtils::handleArg(args)...}; 107 | 108 | 109 | if(ptrace(PTRACE_ATTACH, this->pid, nullptr, nullptr) == -1) { 110 | if constexpr (!std::is_void::value) 111 | return 0; 112 | else 113 | return; 114 | } 115 | waitpid(this->pid, nullptr, WUNTRACED); 116 | 117 | uintptr_t retVal = NullTrace::ptraceRemoteCall(this->pid, address, argVec.data(), argVec.size()); 118 | 119 | if(ptrace(PTRACE_DETACH, this->pid, nullptr, nullptr) == -1) { 120 | if constexpr (!std::is_void::value) 121 | return 0; 122 | else 123 | return; 124 | } 125 | if constexpr(std::is_pointer::value) 126 | return reinterpret_cast(retVal); 127 | else if constexpr (std::is_void::value) 128 | return; 129 | else 130 | return static_cast(retVal); 131 | } 132 | 133 | template 134 | RetT callR(uintptr_t retAddr, uintptr_t address, Args... args) { 135 | std::vector argVec = {NullUtils::handleArg(args)...}; 136 | 137 | 138 | if(ptrace(PTRACE_ATTACH, this->pid, nullptr, nullptr) == -1) { 139 | if constexpr (!std::is_void::value) 140 | return 0; 141 | else 142 | return; 143 | } 144 | waitpid(this->pid, nullptr, WUNTRACED); 145 | 146 | uintptr_t retVal = NullTrace::ptraceRemoteCall(this->pid, address, argVec.data(), argVec.size(), retAddr); 147 | 148 | if(ptrace(PTRACE_DETACH, this->pid, nullptr, nullptr) == -1) { 149 | if constexpr (!std::is_void::value) 150 | return 0; 151 | else 152 | return; 153 | } 154 | if constexpr(std::is_pointer::value) 155 | return reinterpret_cast(retVal); 156 | else if constexpr (std::is_void::value) 157 | return; 158 | else 159 | return static_cast(retVal); 160 | } 161 | 162 | template 163 | T readProcessMemory(uintptr_t address) { 164 | if(ptrace(PTRACE_ATTACH, this->pid, nullptr, nullptr) == -1) 165 | return T(); 166 | 167 | waitpid(this->pid, nullptr, WUNTRACED); 168 | 169 | T readData; 170 | 171 | if(!NullTrace::ptraceRead(this->pid, address, reinterpret_cast(&readData), sizeof(T))) { 172 | return T(); 173 | } 174 | 175 | if(ptrace(PTRACE_DETACH, this->pid, nullptr, nullptr) == -1) 176 | return T(); 177 | 178 | return readData; 179 | } 180 | 181 | }; 182 | 183 | } 184 | 185 | -------------------------------------------------------------------------------- /NullTrace/include/nullutils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | 19 | 20 | namespace NullUtils { 21 | 22 | struct NativeBridgeCallbacks { 23 | uint32_t version; 24 | bool(*initialize)(const void* runtime_cbs, const char* private_dir, const char* instruction_set); 25 | 26 | void*(*loadLibrary)(const char* libpath, int flag); 27 | 28 | void*(*getTrampoline)(void* handle, const char* name, const char* shorty, uint32_t len); 29 | 30 | bool(*isSupported)(const char* libpath); 31 | const void*(*getAppEnv)(const char* instruction_set); 32 | bool(*isCompatibleWith)(uint32_t bridge_version); 33 | void*(*getSignalHandler)(int signal); 34 | int(*unloadLibrary)(void* handle); 35 | const char* (*getError)(); 36 | bool(*isPathSupported)(const char* library_path); 37 | bool(*initAnonymousNamespace)(const char* public_ns_sonames, const char* anon_ns_library_path); 38 | void*(*createNamespace)(const char* name, const char* ld_library_path, const char* default_library_path, uint64_t type, const char* permitted_when_isolated_path, void* parent_ns); 39 | bool(*linkNamespaces)(void* from, void* to, const char* shared_libs_sonames); 40 | 41 | void *(*loadLibraryExt)(const char *libpath, int flag, void *ns); 42 | void*(*getVendorNamespace)(); 43 | void*(*getExportedNamespace)(const char* name); 44 | void(*preZygoteFork)(); 45 | void*(*getTrampolineWithJNICallType)(void* handle, const char* name, const char* shorty, uint32_t len, int32_t jni_call_type); 46 | 47 | 48 | void*(*getTrampolineForFunctionPointer)(const void* method, const char* shorty, uint32_t len, int32_t jni_call_type); 49 | 50 | }; 51 | 52 | std::string removeNullChars(const std::string &str); 53 | std::vector interpretHex(std::string hex); 54 | std::string bytesToHex(uint8_t* bytes, size_t len); 55 | bool endsWith(const std::string &str, const std::string &suffix); 56 | int getApiLevel(); 57 | void SELINUX_SetEnforce(int mode); 58 | int SELINUX_GetEnforce(); 59 | 60 | template 61 | uintptr_t handleArg(T* input) { 62 | return reinterpret_cast(input); 63 | } 64 | template 65 | uintptr_t handleArg(T input) { 66 | return static_cast(input); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /NullTrace/include/pnull.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | namespace NullTrace { 19 | #if defined(__aarch64__) || defined(__x86_64__) || defined(__i386__) 20 | #define regs_s user_regs_struct 21 | #elif defined(__arm__) 22 | #define regs_s user_regs 23 | #endif 24 | constexpr unsigned long WORDSIZE = sizeof(long); 25 | constexpr unsigned long CPSRTMASK = (1u << 5); 26 | 27 | bool ptraceWrite(pid_t pid, uintptr_t addr, uint8_t* data, size_t len); 28 | bool ptraceRead (pid_t pid, uintptr_t addr, uint8_t* data, size_t len); 29 | uintptr_t ptraceRemoteCall(pid_t pid, uintptr_t addr, uintptr_t* argv, size_t argc, uintptr_t retAddr = 0); 30 | bool ptraceGetRegs(pid_t pid, regs_s ®s); 31 | bool ptraceSetRegs(pid_t pid, regs_s ®s); 32 | } -------------------------------------------------------------------------------- /NullTrace/src/nullproc.cpp: -------------------------------------------------------------------------------- 1 | #include "nullproc.h" 2 | 3 | 4 | NullProcess::Process::Process() { 5 | this->pid = -1; 6 | this->pkgName = "UNDEFINED"; 7 | } 8 | 9 | bool NullProcess::Process::setProcByPid(pid_t procID) { 10 | std::ifstream cmdlineFile("/proc/" + std::to_string(procID) + "/cmdline"); 11 | if (!cmdlineFile) return false; 12 | this->pid = procID; 13 | this->maps = getMaps(this->pid); 14 | return true; 15 | } 16 | 17 | bool NullProcess::Process::setProcByName(const std::string& pkg) { 18 | this->pkgName = pkg; 19 | this->pid = -1; 20 | namespace fs = std::filesystem; 21 | for(const auto &entry : fs::directory_iterator("/proc")) { 22 | try { 23 | std::ifstream cmdlineFile(entry.path() / "cmdline"); 24 | std::string pkgNameBuffer; 25 | if(getline(cmdlineFile, pkgNameBuffer)) { 26 | pkgNameBuffer = NullUtils::removeNullChars(pkgNameBuffer); 27 | if(pkgNameBuffer == pkg) { 28 | this->pid = std::stoi(entry.path().filename()); 29 | this->maps = getMaps(this->pid); 30 | this->locateSymbols(); 31 | break; 32 | } 33 | } 34 | } catch(const std::invalid_argument &e) { /*skip non pid entries*/ } 35 | } 36 | return pid != -1; 37 | } 38 | 39 | std::vector NullProcess::Process::getMaps(const pid_t &pid) { 40 | 41 | 42 | std::vector maps; 43 | std::string path = "/proc/" + std::to_string(pid) + "/maps"; 44 | 45 | std::ifstream file(path); 46 | if(!file.is_open()) { 47 | std::cerr << "Error opening file: " << path << "\n"; 48 | return {}; 49 | } 50 | std::string line; 51 | while(std::getline(file, line)) 52 | maps.push_back(NullProcess::Process::parseMap(line)); 53 | 54 | return maps; 55 | } 56 | 57 | bool 58 | NullProcess::Process::writeProcessMemory(std::string hex, uintptr_t address) { 59 | 60 | std::vector hexVec = NullUtils::interpretHex(std::move(hex)); 61 | if(hexVec.empty()) 62 | return false; 63 | 64 | if(ptrace(PTRACE_ATTACH, this->pid, nullptr, nullptr) == -1) 65 | return false; 66 | 67 | waitpid(this->pid, nullptr, WUNTRACED); 68 | 69 | if(!NullTrace::ptraceWrite(this->pid, address, hexVec.data(), hexVec.size())) 70 | return false; 71 | 72 | if(ptrace(PTRACE_DETACH, this->pid, nullptr, nullptr) == -1) 73 | return false; 74 | 75 | return true; 76 | } 77 | 78 | std::string NullProcess::Process::readProcessMemory(uintptr_t address, size_t len) { 79 | 80 | if(ptrace(PTRACE_ATTACH, this->pid, nullptr, nullptr) == -1) 81 | return ""; 82 | waitpid(this->pid, nullptr, WUNTRACED); 83 | uint8_t readData[len]; 84 | 85 | if(!NullTrace::ptraceRead(this->pid, address, readData, len)) { 86 | return ""; 87 | } 88 | 89 | if(ptrace(PTRACE_DETACH, this->pid, nullptr, nullptr) == -1) 90 | return ""; 91 | 92 | std::string hex = NullUtils::bytesToHex(readData, len); 93 | return hex; 94 | } 95 | 96 | 97 | 98 | bool NullProcess::Process::injectLibrary(std::string path) { 99 | std::cout << "[NullTrace] Starting library injection\n"; 100 | namespace fs = std::filesystem; 101 | fs::path p(path); 102 | if(!fs::exists(p)) { 103 | std::cerr << "[NullTrace] File doesnt exist aborting injection\n"; 104 | return false; 105 | } 106 | bool shouldEmuInject = false; 107 | int libArch = NullElf::getLibraryArch(path.c_str()); 108 | #if defined(__x86_64__) || defined(__i386__) 109 | if(libArch == NullElf::EARM || libArch == NullElf::EAARCH64) 110 | shouldEmuInject = true; 111 | #endif 112 | 113 | std::cout << "[NullTrace] LIBC Malloc Address: " << "0x" << std::hex 114 | << this->libc.remote_malloc << " LIBC Free Address: " << "0x" << std::hex 115 | << this->libc.remote_free << " LIBDL Dlopen Address: " << "0x" << std::hex << this->libdl.remote_dlopen 116 | << " LIBDL Dlsym Address: " << "0x" << std::hex << this->libdl.remote_dlsym <<"\n"; 117 | #if defined(__arm__) || defined(__aarch64__) 118 | if (!this->libc.remote_malloc || !this->libc.remote_free || !this->libdl.remote_dlopen || !this->libdl.remote_dlsym) { 119 | std::cerr << "[NullTrace] failed injection failed locating syms\n"; 120 | return false; 121 | } 122 | #elif defined(__i386__) || defined(__x86_64__) 123 | if (!this->libc.remote_malloc || !this->libc.remote_free ) { 124 | std::cerr << "[NullTrace] failed injection failed locating syms\n"; 125 | return false; 126 | } 127 | if(!this->libdl.remote_dlopen || !this->libdl.remote_dlsym) { 128 | std::cout << "[NullTrace] WARNING NO DL FUNCTIONS FOUND TRYING NATIVE BRIDGE INJECTION MAKE SURE YOU INJECT AN ARM LIBRARY !\n"; 129 | shouldEmuInject = true; 130 | } 131 | #endif 132 | 133 | 134 | size_t pathSize = path.size() + 1; 135 | void* pathAddr = this->remoteString(path); 136 | 137 | if(pathAddr == nullptr) { 138 | std::cerr << "[NullTrace] Failed making remote string for path aborting\n"; 139 | return false; 140 | } 141 | 142 | printf("[NullTrace] Allocated Path: %s\n", this->readProcessMemory( 143 | reinterpret_cast(pathAddr), pathSize).c_str() ); 144 | uintptr_t libLR_base = 0x0; 145 | 146 | for(const NullProcess::Map& map : this->maps) { 147 | #if defined(__x86_64__) || defined(__i386__) 148 | 149 | 150 | if (map.pathName.find("system/lib64/libart.so") != std::string::npos || 151 | map.pathName.find("system/lib/libart.so") != std::string::npos) { 152 | libLR_base = map.start; 153 | std::cout << "libLR as : libart.so\n"; 154 | break; 155 | } 156 | if (map.pathName.find("system/lib64/libRS.so") != std::string::npos || 157 | map.pathName.find("system/lib/libRS.so") != std::string::npos) { 158 | libLR_base = map.start; 159 | std::cout << "libLR as : libRS.so\n"; 160 | break; 161 | } 162 | 163 | 164 | #elif defined(__arm__) || defined(__aarch64__) 165 | if(map.pathName.find("libart.so") != std::string::npos) { 166 | libLR_base = map.start; 167 | std::cout << "libLR as : libart.so\n"; 168 | break; 169 | } 170 | if(map.pathName.find("libRS.so") != std::string::npos) { 171 | libLR_base = map.start; 172 | std::cout << "libLR as : libRS.so\n"; 173 | break; 174 | } 175 | #endif 176 | } 177 | 178 | if(!libLR_base) { 179 | std::cerr << "[NullTrace] Not found libLR trying with libc\n"; 180 | for(const NullProcess::Map& map : this->maps) { 181 | 182 | #if defined(__x86_64__) || defined(__i386__) 183 | if (NullUtils::getApiLevel() < 29) { 184 | if (map.pathName.find("system/lib64/libc.so") != std::string::npos || 185 | map.pathName.find("system/lib/libc.so") != std::string::npos) { 186 | libLR_base = map.start; 187 | std::cout << "libLR as : libc.so\n"; 188 | break; 189 | } 190 | } 191 | else { 192 | 193 | if (map.pathName.find("/apex/com.android.runtime/lib64/bionic/libc.so") != std::string::npos || 194 | map.pathName.find("/apex/com.android.runtime/lib/bionic/libc.so") != std::string::npos) { 195 | libLR_base = map.start; 196 | std::cout << "libLR as : libc.so\n"; 197 | break; 198 | } 199 | } 200 | #elif defined(__arm__) || defined(__aarch64__) 201 | if(map.pathName.find("libc.so") != std::string::npos) { 202 | libLR_base = map.start; 203 | std::cout << "libLR as : libc.so\n"; 204 | break; 205 | } 206 | #endif 207 | } 208 | } 209 | std::cout << "[NullTrace] libLR base: " << "0x" << std::hex << libLR_base << "\n"; 210 | 211 | 212 | if (shouldEmuInject) { 213 | if (!this->injectLibNB(pathAddr, libLR_base)) { 214 | this->call(this->libc.remote_free, pathAddr); 215 | return false; 216 | } 217 | this->call(this->libc.remote_free, pathAddr); 218 | return true; 219 | } 220 | else { 221 | void* handle = this->callR(libLR_base, this->libdl.remote_dlopen, pathAddr, 222 | RTLD_NOW | RTLD_GLOBAL); 223 | if (!handle) { 224 | std::cerr << "[NullTrace] failed injection " << std::hex << handle << "\n"; 225 | uintptr_t errnoMsg = this->call(this->libdl.remote_dlerror); 226 | if(errnoMsg) { 227 | std::vector errnoChars = NullUtils::interpretHex( 228 | this->readProcessMemory(errnoMsg, 500)); 229 | std::cerr << "[NullTrace] DlError message: "; 230 | for (unsigned char &errnoChar: errnoChars) { 231 | if (errnoChar == 0x0) 232 | break; 233 | std::cerr << (char) errnoChar; 234 | } 235 | std::cerr << "\n"; 236 | } 237 | this->call(this->libc.remote_free, pathAddr); 238 | return false; 239 | } 240 | 241 | std::cout << "[NullTrace] Successful injection handle: " << std::hex << handle << "\n"; 242 | 243 | this->call(this->libc.remote_free, pathAddr); 244 | return true; 245 | } 246 | } 247 | 248 | bool NullProcess::Process::injectLibNB(void* pathAddr, uintptr_t libLR_base) { 249 | std::cout << "[NullTrace] using nativebridge to inject on emulator\n"; 250 | 251 | if(!this->nbInfo.nativeBridgeActive) { 252 | std::cerr << "[NullTrace] native bridge is not initialized in this process aborting injection!\n"; 253 | return false; 254 | } 255 | void* handle = nullptr; 256 | 257 | if(this->nbInfo.usesCallbacksPtr) { 258 | std::cout << "[NullTrace] using nbcallbacks pointer for nativebridge\n"; 259 | if(NullUtils::getApiLevel() >= 26) 260 | handle = this->callR(libLR_base, reinterpret_cast(nbCallbacks.loadLibraryExt), pathAddr, RTLD_NOW | RTLD_GLOBAL, 3); 261 | else 262 | handle = this->callR(libLR_base, reinterpret_cast(nbCallbacks.loadLibrary), RTLD_GLOBAL | RTLD_NOW); 263 | } 264 | else { 265 | std::cout << "[NullTrace] using libnativebridge for nativebridge\n"; 266 | if(NullUtils::getApiLevel() >= 26) 267 | handle = this->callR(libLR_base, libnativebridge.remote_loadLibraryExt, pathAddr, RTLD_NOW | RTLD_GLOBAL, 0); 268 | else 269 | handle = this->callR(libLR_base, libnativebridge.remote_loadLibrary, pathAddr, RTLD_GLOBAL | RTLD_NOW); 270 | } 271 | 272 | if(!handle) { 273 | std::cerr << "[NullTrace] failed emulator injection " << std::hex << handle << "\n"; 274 | 275 | uintptr_t errnoMsg; 276 | 277 | if(this->nbInfo.usesCallbacksPtr) { 278 | errnoMsg = this->callR(libLR_base, reinterpret_cast(nbCallbacks.getError)); 279 | } 280 | else 281 | errnoMsg = this->callR(libLR_base, libnativebridge.remote_getError); 282 | if(errnoMsg) { 283 | std::vector errnoChars = NullUtils::interpretHex( 284 | this->readProcessMemory(errnoMsg, 500)); 285 | std::cerr << "[NullTrace] NativeBridgeGetError message: "; 286 | for (unsigned char &errnoChar: errnoChars) { 287 | if (errnoChar == 0x0) 288 | break; 289 | std::cerr << (char) errnoChar; 290 | } 291 | std::cerr << "\n"; 292 | } 293 | return false; 294 | } 295 | std::cout << "[NullTrace] Successful emulator injection handle: " << std::hex << handle << "\n"; 296 | 297 | return true; 298 | } 299 | 300 | void* NullProcess::Process::remoteString(std::string str) { 301 | size_t strSize = str.size(); 302 | 303 | void* strAddr = this->call(this->libc.remote_malloc, strSize + 1); 304 | if(strAddr == nullptr) { 305 | std::cerr << "[NullTrace] Failed allocating memory on target process aborting\n"; 306 | return nullptr; 307 | } 308 | std::cout << "[NullTrace] Allocated memory for string at Address: " << std::hex << strAddr << "\n"; 309 | 310 | if(ptrace(PTRACE_ATTACH, this->pid, nullptr, nullptr) == -1) { 311 | std::cerr << "[NullTrace] Failed attaching to process to write string\n"; 312 | return 0; 313 | } 314 | waitpid(this->pid, nullptr, WUNTRACED); 315 | if(!NullTrace::ptraceWrite(this->pid, reinterpret_cast(strAddr), 316 | (uint8_t *) str.c_str(), strSize + 1)) { 317 | std::cerr << "[NullTrace] Failed writing string into target process aborting\n"; 318 | this->call(this->libc.remote_free, strAddr); 319 | return nullptr; 320 | } 321 | 322 | if(ptrace(PTRACE_DETACH, this->pid, nullptr, nullptr) == -1) { 323 | std::cerr << "[NullTrace] Failed detaching from process while writing string\n"; 324 | return 0; 325 | } 326 | 327 | std::cout << "[NullTrace] Successfully written string into allocated memory\n"; 328 | 329 | return strAddr; 330 | } 331 | 332 | bool NullProcess::Process::processExists(pid_t pid) { 333 | 334 | namespace fs = std::filesystem; 335 | for(const auto &entry : fs::directory_iterator("/proc")) { 336 | try { 337 | if(std::stoi(entry.path().filename()) == pid) 338 | return true; 339 | } catch (const std::invalid_argument&) { 340 | continue; 341 | } 342 | } 343 | return false; 344 | } 345 | 346 | void NullProcess::Process::locateSymbols() { 347 | this->libdl.remote_dlopen = 0x0; 348 | this->libdl.remote_dlerror = 0x0; 349 | this->libdl.remote_dlsym = 0x0; 350 | this->libc.remote_malloc = 0x0; 351 | this->libc.remote_free = 0x0; 352 | this->libc.remote_mmap = 0x0; 353 | 354 | this->libnativebridge.remote_loadLibraryExt = 0x0; 355 | this->libnativebridge.remote_loadLibrary = 0x0; 356 | this->libnativebridge.remote_getTrampoline = 0x0; 357 | this->libnativebridge.remote_getError = 0x0; 358 | 359 | bool libdlinit = false; 360 | bool libcinit = false; 361 | bool libnativebridgeinit = false; 362 | 363 | #if defined(__arm__) || defined(__aarch64__) 364 | for(const NullProcess::Map &map : this->maps) { 365 | if(NullUtils::endsWith(map.pathName, "libdl.so") && !libdlinit) { 366 | this->libdl.remote_dlopen = map.start + NullElf::getAddrSym(map.pathName.c_str(), "dlopen"); 367 | this->libdl.remote_dlerror = map.start + NullElf::getAddrSym(map.pathName.c_str(), "dlerror"); 368 | this->libdl.remote_dlsym = map.start + NullElf::getAddrSym(map.pathName.c_str(), "dlsym"); 369 | libdlinit = true; 370 | } 371 | if(NullUtils::endsWith(map.pathName, "libc.so") && !libcinit) { 372 | this->libc.remote_malloc = map.start + NullElf::getAddrSym(map.pathName.c_str(), "malloc"); 373 | this->libc.remote_free = map.start + NullElf::getAddrSym(map.pathName.c_str(), "free"); 374 | this->libc.remote_mmap = map.start + NullElf::getAddrSym(map.pathName.c_str(), "mmap"); 375 | libcinit = true; 376 | } 377 | } 378 | #elif defined(__i386__) || defined(__x86_64__) 379 | for(const NullProcess::Map &map : this->maps) { 380 | if(map.pathName.find("/arm/") == std::string::npos 381 | && map.pathName.find("/arm64/") == std::string::npos 382 | && map.pathName.find("/nb/") == std::string::npos 383 | && NullUtils::endsWith(map.pathName, "libdl.so") 384 | && !libdlinit) { 385 | this->libdl.remote_dlopen = map.start + NullElf::getAddrSym(map.pathName.c_str(), "dlopen"); 386 | this->libdl.remote_dlerror = map.start + NullElf::getAddrSym(map.pathName.c_str(), "dlerror"); 387 | this->libdl.remote_dlsym = map.start + NullElf::getAddrSym(map.pathName.c_str(), "dlsym"); 388 | libdlinit = true; 389 | } 390 | 391 | if(map.pathName.find("/arm/") == std::string::npos 392 | && map.pathName.find("/arm64/") == std::string::npos 393 | && map.pathName.find("/nb/") == std::string::npos 394 | && NullUtils::endsWith(map.pathName, "libc.so") 395 | && !libcinit) { 396 | this->libc.remote_malloc = map.start + NullElf::getAddrSym(map.pathName.c_str(), "malloc"); 397 | this->libc.remote_free = map.start + NullElf::getAddrSym(map.pathName.c_str(), "free"); 398 | this->libc.remote_mmap = map.start + NullElf::getAddrSym(map.pathName.c_str(), "mmap"); 399 | libcinit = true; 400 | } 401 | 402 | if(map.pathName.find("/arm/") == std::string::npos 403 | && map.pathName.find("/arm64/") == std::string::npos 404 | && map.pathName.find("/nb/") == std::string::npos 405 | && NullUtils::endsWith(map.pathName, "libnativebridge.so") 406 | && !libnativebridgeinit) { 407 | std::cout << map.pathName << "\n"; 408 | this->libnativebridge.remote_loadLibraryExt = map.start + NullElf::getAddrSym(map.pathName.c_str(), "LoadLibraryExt", NullElf::CONTAINS); 409 | this->libnativebridge.remote_loadLibrary = map.start + NullElf::getAddrSym(map.pathName.c_str(),"LoadLibrary", NullElf::CONTAINS); 410 | this->libnativebridge.remote_getError = map.start + NullElf::getAddrSym(map.pathName.c_str(), "GetError", NullElf::CONTAINS); 411 | this->libnativebridge.remote_getTrampoline = map.start + NullElf::getAddrSym(map.pathName.c_str(), "GetTrampoline", NullElf::CONTAINS); 412 | this->nbInfo.nativeBridgeActive = true; 413 | this->nbInfo.usesCallbacksPtr = false; 414 | libnativebridgeinit = true; 415 | } 416 | } 417 | 418 | if(!libnativebridgeinit) { 419 | NullProcess::Map nbMap = this->findMap("libhoudini.so"); 420 | if(nbMap.pathName.empty()) { 421 | auto nbProp = std::array(); 422 | __system_property_get("ro.dalvik.vm.native.bridge", nbProp.data()); 423 | std::string nbStr = {nbProp.data()}; 424 | 425 | nbMap = this->findMap(nbStr); 426 | } 427 | if(nbMap.pathName.empty()) { 428 | this->nbInfo.nativeBridgeActive = false; 429 | this->nbInfo.usesCallbacksPtr = false; 430 | } 431 | else { 432 | uintptr_t nbCallbacksAddr = (NullElf::getAddrSym(nbMap.pathName.c_str(), "NativeBridgeItf") + nbMap.start); 433 | this->nbCallbacks = this->readProcessMemory(nbCallbacksAddr); 434 | this->nbInfo.nativeBridgeActive = true; 435 | this->nbInfo.usesCallbacksPtr = true; 436 | } 437 | } 438 | #else 439 | #error Unsupported Device 440 | #endif 441 | } 442 | 443 | NullProcess::Map NullProcess::Process::parseMap(const std::string &line) { 444 | NullProcess::Map map; 445 | 446 | size_t spaces[5]; 447 | spaces[0] = line.find(' '); 448 | for(int i = 1; i < 5; i++) 449 | spaces[i] = line.find(' ', spaces[i-1] + 1); 450 | map.arch = -1; 451 | 452 | size_t dashIndex = line.find('-'); 453 | size_t pathIndex; 454 | if((pathIndex = line.find('/')) != std::string::npos) { 455 | map.pathName = line.substr(pathIndex); 456 | if(NullUtils::endsWith(map.pathName, ".so")) 457 | map.arch = NullElf::getLibraryArch(map.pathName.c_str()); 458 | 459 | } 460 | else if((pathIndex = line.find('[')) != std::string::npos) 461 | map.pathName = line.substr(pathIndex); 462 | else 463 | map.pathName = ""; 464 | 465 | map.start = std::stoull(line.substr(0, dashIndex), nullptr, 16); 466 | map.end = std::stoull( line.substr(dashIndex+1, spaces[0]- (dashIndex+1)), nullptr, 16 ); 467 | map.length = map.end - map.start; 468 | map.perms = 0; 469 | if (line[spaces[0] + 1] == 'r') map.perms |= NullProcess::READ; 470 | if (line[spaces[0] + 2] == 'w') map.perms |= NullProcess::WRITE; 471 | if (line[spaces[0] + 3] == 'x') map.perms |= NullProcess::EXECUTE; 472 | 473 | map.offset = std::stoull(line.substr(spaces[1] + 1, spaces[2] - spaces[1] + 1), nullptr, 16); 474 | map.device = line.substr(spaces[2] + 1, spaces[3] - spaces[2] + 1); 475 | map.inode = std::stoi(line.substr(spaces[3] + 1, spaces[4] - spaces[3] + 1)); 476 | return map; 477 | } 478 | 479 | NullProcess::Map NullProcess::Process::findMap(std::string mapname) { 480 | for(NullProcess::Map map : this->maps) { 481 | if(map.pathName.find(mapname) != std::string::npos ) { 482 | return map; 483 | } 484 | } 485 | NullProcess::Map invalidMap; 486 | invalidMap.pathName = ""; 487 | return invalidMap; 488 | } 489 | -------------------------------------------------------------------------------- /NullTrace/src/nullutils.cpp: -------------------------------------------------------------------------------- 1 | #include "nullutils.h" 2 | 3 | std::string NullUtils::removeNullChars(const std::string &str) { 4 | size_t nullPos = str.find('\0'); 5 | if (nullPos != std::string::npos) 6 | return str.substr(0, nullPos); 7 | else 8 | return str; 9 | } 10 | 11 | std::vector NullUtils::interpretHex(std::string hex) { 12 | hex.erase(std::remove_if(hex.begin(), hex.end(), ::isspace), hex.end()); 13 | 14 | if(hex.size() % 2 != 0) { 15 | return {}; 16 | } 17 | 18 | for(char c : hex) { 19 | if(!std::isxdigit(c)) { 20 | return {}; 21 | } 22 | } 23 | std::vector bytes; 24 | for(int i = 0; i < hex.size(); i += 2) { 25 | std::string byteStr = hex.substr(i, 2); 26 | uint8_t byte = static_cast(std::stoul(byteStr, nullptr, 16)); 27 | bytes.push_back(byte); 28 | } 29 | return bytes; 30 | } 31 | 32 | std::string NullUtils::bytesToHex(uint8_t* bytes, size_t len) { 33 | std::stringstream hexStream; 34 | for(int i = 0; i < len; i++) 35 | hexStream << std::setw(2) << std::setfill('0') << std::hex << static_cast(bytes[i]) << " "; 36 | std::string outStr = hexStream.str(); 37 | std::transform(outStr.begin(), outStr.end(), outStr.begin(), ::toupper); 38 | return outStr; 39 | } 40 | 41 | bool NullUtils::endsWith(const std::string &str, const std::string &suffix) { 42 | if(suffix.size() > str.size()) return false; 43 | return std::equal(suffix.rbegin(), suffix.rend(), str.rbegin()); 44 | } 45 | 46 | int NullUtils::getApiLevel() { 47 | char sdk_version_str[PROP_VALUE_MAX]; 48 | __system_property_get("ro.build.version.sdk", sdk_version_str); 49 | return std::stoi(sdk_version_str); 50 | } 51 | 52 | void NullUtils::SELINUX_SetEnforce(int mode) { 53 | if(mode == 0) system("su -c setenforce 0"); 54 | else if(mode == 1) system("su -c setenforce 1"); 55 | else return; 56 | } 57 | 58 | int NullUtils::SELINUX_GetEnforce() { 59 | std::ifstream file("/sys/fs/selinux/enforce"); 60 | if(!file.is_open()) { 61 | std::cerr << "[NullUtils] failed opening selinux file\n"; 62 | return -1; 63 | } 64 | 65 | std::string line; 66 | std::getline(file, line); 67 | file.close(); 68 | line = NullUtils::removeNullChars(line); 69 | if(line == "1") return 1; 70 | else if(line == "0") return 0; 71 | else return -1; 72 | } 73 | 74 | 75 | 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /NullTrace/src/pnull.cpp: -------------------------------------------------------------------------------- 1 | #include "pnull.h" 2 | 3 | 4 | bool NullTrace::ptraceWrite(pid_t pid, uintptr_t addr, uint8_t* data, size_t len) { 5 | size_t remain = len % NullTrace::WORDSIZE; 6 | size_t amount = len / NullTrace::WORDSIZE; 7 | for(size_t i = 0; i < amount; i++) { 8 | long buffer; 9 | std::memcpy(&buffer, data + i * WORDSIZE, NullTrace::WORDSIZE); 10 | if(ptrace(PTRACE_POKEDATA, pid, i * NullTrace::WORDSIZE + addr, buffer) == -1) { 11 | return false; 12 | } 13 | } 14 | if(remain > 0) { 15 | 16 | size_t leftToWord = NullTrace::WORDSIZE - remain; 17 | uint8_t oldAfterRemain[leftToWord]; 18 | if(!NullTrace::ptraceRead(pid, amount * NullTrace::WORDSIZE + remain + addr, oldAfterRemain, leftToWord)) 19 | return false; 20 | 21 | long buffer = 0; 22 | 23 | std::memcpy(&buffer, data + amount * NullTrace::WORDSIZE, remain); 24 | std::memcpy(reinterpret_cast(&buffer) + remain, oldAfterRemain, leftToWord); 25 | if(ptrace(PTRACE_POKEDATA, pid, amount * NullTrace::WORDSIZE + addr, buffer) == -1) { 26 | return false; 27 | } 28 | } 29 | return true; 30 | } 31 | 32 | bool NullTrace::ptraceRead(pid_t pid, uintptr_t addr, uint8_t* data, size_t len) { 33 | size_t remain = len % NullTrace::WORDSIZE; 34 | size_t amount = len / NullTrace::WORDSIZE; 35 | 36 | for(size_t i = 0; i < amount; i++) { 37 | long buffer = 0; 38 | errno = 0; 39 | buffer = ptrace(PTRACE_PEEKDATA, pid, i * NullTrace::WORDSIZE + addr, NULL); 40 | if(errno) { 41 | std::cerr << "[NullTrace] Encountered an error: " << strerror(errno) << "\n"; 42 | return false; 43 | } 44 | std::memcpy(data + i * NullTrace::WORDSIZE, &buffer, NullTrace::WORDSIZE); 45 | } 46 | if(remain > 0) { 47 | errno = 0; 48 | long buffer = ptrace(PTRACE_PEEKDATA, pid, amount * NullTrace::WORDSIZE + addr, NULL); 49 | if(errno) { 50 | std::cerr << "[NullTrace] Encountered an error: " << strerror(errno) << "\n"; 51 | return false; 52 | } 53 | std::memcpy(data + amount * NullTrace::WORDSIZE, &buffer, remain); 54 | } 55 | return true; 56 | } 57 | 58 | 59 | uintptr_t NullTrace::ptraceRemoteCall(pid_t pid, uintptr_t addr, uintptr_t* argv, size_t argc, uintptr_t retAddr) { 60 | struct regs_s regs{}, oldRegs{}; 61 | 62 | if(!NullTrace::ptraceGetRegs(pid, regs)) { 63 | std::cerr << "[NullTrace] failed remote calling couldnt get regs\n"; 64 | return 0; 65 | } 66 | 67 | std::memcpy(&oldRegs, ®s, sizeof(regs)); 68 | #if defined(__arm__) 69 | for(int i = 0; (i < argc) && (i < 4); i++) { 70 | regs.uregs[i] = argv[i]; 71 | } 72 | 73 | if(argc > 4) { 74 | regs.ARM_sp -= sizeof(uintptr_t) * (argc - 4); 75 | uintptr_t stack = regs.ARM_sp; 76 | for(int i = 4; i < argc; i++) { 77 | uintptr_t arg = argv[i]; 78 | if(!ptraceWrite(pid, stack, (uint8_t*)&arg, sizeof(uintptr_t))) { 79 | 80 | return 0; 81 | } 82 | stack += sizeof(uintptr_t); 83 | } 84 | } 85 | 86 | regs.ARM_pc = addr; 87 | // handeling arm/thumb mode 88 | if(regs.ARM_pc & 1) { 89 | regs.ARM_pc &= (~1u); 90 | regs.ARM_cpsr |= CPSRTMASK; 91 | } else { 92 | regs.ARM_cpsr &= ~CPSRTMASK; 93 | } 94 | regs.ARM_lr = retAddr; //lr register 95 | #elif defined(__aarch64__) 96 | for(int i = 0; (i < argc) && (i < 8); i++) { 97 | regs.regs[i] = argv[i]; 98 | } 99 | if(argc > 8) { 100 | regs.sp -= sizeof(uintptr_t) * (argc - 8); 101 | uintptr_t stack = regs.sp; 102 | for(int i = 8; i < argc; i++) { 103 | uintptr_t arg = argv[i]; 104 | if(!ptraceWrite(pid, stack, (uint8_t*)&arg, sizeof(uintptr_t))) { 105 | 106 | return 0; 107 | } 108 | stack += sizeof(uintptr_t); 109 | } 110 | } 111 | 112 | regs.pc = addr; 113 | regs.regs[30] = retAddr; //lr register 114 | #elif defined(__i386__) 115 | regs.esp -= sizeof(uintptr_t) * argc; 116 | uintptr_t stack = regs.esp; 117 | for(int i = 0; i < argc; i++) { 118 | uintptr_t arg = argv[i]; 119 | if(!ptraceWrite(pid, stack, (uint8_t*)&arg, sizeof(uintptr_t))) { 120 | 121 | return 0; 122 | } 123 | stack += sizeof(uintptr_t); 124 | } 125 | 126 | uintptr_t lr = retAddr; 127 | regs.esp -= sizeof(uintptr_t); 128 | if(!ptraceWrite(pid, regs.esp, (uint8_t*)&lr, sizeof(uintptr_t))) { 129 | 130 | return 0; 131 | } 132 | regs.eip = addr; 133 | #elif defined(__x86_64__) // credits: @reveny on Github 134 | //Alignment 135 | uintptr_t space = sizeof(uintptr_t); 136 | if(argc > 6) { 137 | space += sizeof(uintptr_t) * (argc - 6); 138 | } 139 | while( ((regs.rsp - space - 8) & 0xF) != 0 ) { 140 | regs.rsp--; 141 | } 142 | for(int i = 0; (i < argc) && (i < 6); i++) { 143 | uintptr_t arg = argv[i]; 144 | switch (i) { 145 | case 0: regs.rdi = arg; break; 146 | case 1: regs.rsi = arg; break; 147 | case 2: regs.rdx = arg; break; 148 | case 3: regs.rcx = arg; break; 149 | case 4: regs.r8 = arg; break; 150 | case 5: regs.r9 = arg; break; 151 | } 152 | } 153 | 154 | if(argc > 6) { 155 | regs.rsp -= sizeof(uintptr_t) * (argc - 6); 156 | uintptr_t stack = regs.rsp; 157 | for(int i = 6; i < argc; i++) { 158 | uintptr_t arg = argv[i]; 159 | if(!ptraceWrite(pid, stack, (uint8_t*)&arg, sizeof(uintptr_t))) { 160 | 161 | return 0; 162 | } 163 | stack += sizeof(uintptr_t); 164 | } 165 | } 166 | 167 | uintptr_t lr = retAddr; 168 | regs.rsp -= sizeof(uintptr_t); 169 | if(!ptraceWrite(pid, regs.rsp, (uint8_t*)&lr, sizeof(uintptr_t))) { 170 | std::cerr << "[NullTrace] failed remote calling couldnt write\n"; 171 | return 0; 172 | } 173 | 174 | 175 | regs.rip = addr; 176 | regs.rax = 0; 177 | regs.orig_rax = 0; 178 | #else 179 | #error Unsupported Device 180 | #endif 181 | 182 | if(!NullTrace::ptraceSetRegs(pid, regs)) { 183 | std::cerr << "[NullTrace] failed remote calling couldnt set regs\n"; 184 | return 0; 185 | } 186 | 187 | 188 | 189 | if(ptrace(PTRACE_CONT, pid, NULL, NULL) == -1) { 190 | std::cerr << "[NullTrace] failed remote calling couldnt PTRACE_CONTINUE\n"; 191 | return 0; 192 | } 193 | 194 | int status; 195 | waitpid(pid, &status, WUNTRACED); 196 | 197 | while(WSTOPSIG(status) != SIGSEGV) { 198 | if(ptrace(PTRACE_CONT, pid, NULL, NULL) == -1) { 199 | std::cerr << "[NullTrace] failed remote calling couldnt PTRACE_CONTINUE\n"; 200 | return 0; 201 | } 202 | waitpid(pid, &status, WUNTRACED); 203 | } 204 | 205 | if(!NullTrace::ptraceGetRegs(pid, regs)) { 206 | std::cerr << "[NullTrace] failed remote calling couldnt get regs\n"; 207 | return 0; 208 | } 209 | 210 | 211 | if(!NullTrace::ptraceSetRegs(pid, oldRegs)) { 212 | std::cerr << "[NullTrace] failed remote calling couldnt set regs\n"; 213 | return 0; 214 | } 215 | 216 | #if defined(__arm__) 217 | return regs.ARM_r0; 218 | #elif defined(__aarch64__) 219 | return regs.regs[0]; 220 | #elif defined(__i386__) 221 | return regs.eax; 222 | #elif defined(__x86_64__) 223 | return regs.rax; 224 | #endif 225 | } 226 | 227 | 228 | bool NullTrace::ptraceGetRegs(pid_t pid, regs_s ®s) { 229 | #if defined(__LP64__) 230 | struct iovec iov{}; 231 | iov.iov_base = ®s; 232 | iov.iov_len = sizeof(regs); 233 | if(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov) == -1) { 234 | 235 | return false; 236 | } 237 | return true; 238 | #else 239 | if(ptrace(PTRACE_GETREGS, pid, nullptr, ®s) == -1) { 240 | 241 | return false; 242 | } 243 | return true; 244 | #endif 245 | } 246 | 247 | bool NullTrace::ptraceSetRegs(pid_t pid, regs_s ®s) { 248 | #if defined(__LP64__) 249 | struct iovec iov{}; 250 | iov.iov_base = ®s; 251 | iov.iov_len = sizeof(regs); 252 | if (ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov) == -1) { 253 | 254 | return false; 255 | } 256 | return true; 257 | #else 258 | if(ptrace(PTRACE_SETREGS, pid, nullptr, ®s) == -1) { 259 | 260 | return false; 261 | } 262 | return true; 263 | #endif 264 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NullTrace-Android-Injector 2 | # Inject shared libraries on any process in android 3 | 4 | Successful shared library injections tested on real devices and emulators (handles nativebridge for arm lib injections on emulator) 5 | 6 | # Building: 7 | 1: Get the Android-NDK: https://developer.android.com/ndk/downloads?hl=en 8 | and make a new environment variable called NDK and link the root NDK directory to it, 9 | Or manually adjust the NDK and CMake_Toolchain paths here: 10 | [Link NDK](https://github.com/0NullBit0/NullTrace-Android-Inject/blob/main/CMakeLists.txt#L7) 11 | [Link CMAKE_TC](https://github.com/0NullBit0/NullTrace-Android-Inject/blob/main/CMakeLists.txt#L8) 12 | 13 | Install CMake and Ninja and make sure the Path for both is set
14 | https://cmake.org/download/ 15 | https://ninja-build.org/ 16 | 17 | 2: On Windows: run the build.bat file in powershell by: ```.\build.bat``` 18 | 19 | On Unix: ```chmod +x build.sh``` and run the build.sh file by: 20 | ```./build.sh``` or ```bash build.sh``` or ```sh build.sh``` 21 | 22 | 3: The executables will be inside ```build_out/{arch}/NullTrace-Injector``` 23 | 24 | 25 | 26 | # Running: 27 | ``` 28 | su 29 | chmod 777 NullTrace-Injector 30 | chmod 777 (libraryname).so 31 | ./NullTrace-Injector -p (packagename) -lib (library path) 32 | ``` 33 | flags: 34 | ``` 35 | -p flag : provide package name like com.nullbit.pocinject 36 | -lib flag : provide full library path like /data/local/tmp/libhacklib.so 37 | ``` 38 | 39 | ![showcase](nulltrace-demo.png) 40 | 41 | # Emulator injection showcase: 42 | # https://www.youtube.com/watch?v=Og3SngzD6TI 43 | 44 | -------------------------------------------------------------------------------- /build.bat: -------------------------------------------------------------------------------- 1 | :: build for windows by nullbit 2 | 3 | @echo off 4 | setlocal EnableDelayedExpansion 5 | 6 | set ABIS="arm64-v8a" "armeabi-v7a" "x86" "x86_64" 7 | set BUILD_DIR=tmp_wbuild 8 | 9 | for %%a in (%ABIS%) do ( 10 | echo Building for ABI: %%a 11 | if exist "%BUILD_DIR%" rmdir /s /q "%BUILD_DIR%" 12 | mkdir "%BUILD_DIR%" 13 | cmake -S . -B "%BUILD_DIR%" -G "Ninja" -DANDROID_ABI=%%a 14 | cmake --build "%BUILD_DIR%" 15 | ) 16 | 17 | echo Press any key to continue . . . 18 | pause > nul -------------------------------------------------------------------------------- /build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # build script for Unix by nullbit 4 | 5 | ABIS=("arm64-v8a" "armeabi-v7a" "x86" "x86_64") 6 | BUILD_DIR="tmp_wbuild" 7 | 8 | for ABI in "${ABIS[@]}"; do 9 | echo "Building for ABI: $ABI" 10 | if [ -d "$BUILD_DIR" ]; then 11 | rm -rf "$BUILD_DIR" 12 | fi 13 | mkdir "$BUILD_DIR" 14 | cmake -S . -B "$BUILD_DIR" -G "Ninja" -DANDROID_ABI="$ABI" 15 | cmake --build "$BUILD_DIR" 16 | done 17 | 18 | read -n 1 -s -r -p "Press any key to continue..." 19 | echo 20 | -------------------------------------------------------------------------------- /build_out/arm64-v8a/NullTrace-Injector: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0NullBit0/NullTrace-Injector/9171d3f8df0d0a29b1fbac7cc8509168268389f7/build_out/arm64-v8a/NullTrace-Injector -------------------------------------------------------------------------------- /build_out/armeabi-v7a/NullTrace-Injector: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0NullBit0/NullTrace-Injector/9171d3f8df0d0a29b1fbac7cc8509168268389f7/build_out/armeabi-v7a/NullTrace-Injector -------------------------------------------------------------------------------- /build_out/x86/NullTrace-Injector: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0NullBit0/NullTrace-Injector/9171d3f8df0d0a29b1fbac7cc8509168268389f7/build_out/x86/NullTrace-Injector -------------------------------------------------------------------------------- /build_out/x86_64/NullTrace-Injector: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0NullBit0/NullTrace-Injector/9171d3f8df0d0a29b1fbac7cc8509168268389f7/build_out/x86_64/NullTrace-Injector -------------------------------------------------------------------------------- /main.cpp: -------------------------------------------------------------------------------- 1 | #include "NullTrace/include/nullproc.h" 2 | #include "NullTrace/include/nullutils.h" 3 | 4 | bool handle_args(int argc, char* argv[], std::string &pkg, std::string &lib); 5 | 6 | int main(int argc, char* argv[]) { 7 | std::string pkg; 8 | std::string lib; 9 | 10 | if(!handle_args(argc, argv, pkg, lib)) return -1; 11 | 12 | NullProcess::Process proc; 13 | 14 | while(!proc.setProcByName(pkg)) { 15 | sleep(1); 16 | std::cout << "Waiting for process: " << pkg.c_str() << std::endl; 17 | } 18 | 19 | std::cout << "Found target process\n"; 20 | 21 | int SELinuxMode = NullUtils::SELINUX_GetEnforce(); 22 | bool changed = false; 23 | if (SELinuxMode == 0) std::cout << "SELinux already permissive\n"; 24 | else if (SELinuxMode == 1) { 25 | std::cout << "SELinux enforcing trying to set permissive\n"; 26 | NullUtils::SELINUX_SetEnforce(0); 27 | if (NullUtils::SELINUX_GetEnforce() == 0) { 28 | changed = true; 29 | std::cout << "Successfully set SELinux permissive\n"; 30 | } 31 | else std::cerr << "Failed setting SELinux permissive\n"; 32 | } else std::cerr << "Couldn't determine SELinux status\n"; 33 | 34 | std::cout << "Starting Injection\n"; 35 | 36 | if(proc.injectLibrary(lib)) { 37 | std::cout << "Successfully injected library\n"; 38 | if(pkg == "zygote" || pkg == "zygote64") { 39 | std::cout << "[INFO] INJECTED INTO ZYGOTE MAKE SURE YOU CHECK IF YOUR LIB IS IN THE RIGHT PROCESS\n"; 40 | std::cout << "[INFO] START OR RESTART YOUR GAME IF ITS ALREADY OPENED\n"; 41 | } 42 | } 43 | if(changed) { 44 | std::cout << "Resetting SELinux to old mode\n"; 45 | NullUtils::SELINUX_SetEnforce(SELinuxMode); 46 | if (NullUtils::SELINUX_GetEnforce() != SELinuxMode) 47 | std::cerr << "Failed setting back SELinux mode\n"; 48 | } 49 | return 0; 50 | } 51 | 52 | 53 | bool handle_args(int argc, char* argv[], std::string &pkg, std::string &lib) { 54 | bool hasPkg = false; 55 | bool hasLib = false; 56 | bool zygoteinjection = false; 57 | for(int i = 0; i < argc; i++) { 58 | std::string arg = argv[i]; 59 | 60 | if (arg == "-p" || arg == "--p") { 61 | if(i + 1 < argc) { 62 | pkg = argv[++i]; 63 | hasPkg = true; 64 | } 65 | else { 66 | std::cerr << "-p option requires the package name.\n"; 67 | return false; 68 | } 69 | } 70 | else if (arg == "-lib" || arg == "--lib") { 71 | if(i + 1 < argc) { 72 | lib = argv[++i]; 73 | hasLib = true; 74 | } 75 | else { 76 | std::cerr << "-lib option requires the library path.\n"; 77 | return false; 78 | } 79 | } 80 | else if(arg == "-zyi" || arg == "--zyi") { 81 | if(i + 1 < argc) { 82 | zygoteinjection = true; 83 | #if defined(__arm__) || defined(__i386__) 84 | pkg = "zygote"; 85 | #elif defined(__aarch64__) || defined(__x86_64__) 86 | pkg = "zygote64"; 87 | #endif 88 | } 89 | } 90 | } 91 | if(!hasLib || (!hasPkg && !zygoteinjection)) { 92 | std::cerr << "-lib and -p or -zyi options are required aborting.\n"; 93 | return false; 94 | } 95 | if(zygoteinjection && hasPkg) { 96 | std::cerr << "do not use -p and -zyi together aborting.\n"; 97 | return false; 98 | } 99 | 100 | return true; 101 | } 102 | -------------------------------------------------------------------------------- /nulltrace-demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0NullBit0/NullTrace-Injector/9171d3f8df0d0a29b1fbac7cc8509168268389f7/nulltrace-demo.png --------------------------------------------------------------------------------