├── inject ├── mmap.png ├── libhello.so ├── com.x51.demo.png ├── run_inject.bat └── README.md /inject: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xfiftyone/droidsoject/HEAD/inject -------------------------------------------------------------------------------- /mmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xfiftyone/droidsoject/HEAD/mmap.png -------------------------------------------------------------------------------- /libhello.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xfiftyone/droidsoject/HEAD/libhello.so -------------------------------------------------------------------------------- /com.x51.demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xfiftyone/droidsoject/HEAD/com.x51.demo.png -------------------------------------------------------------------------------- /run_inject.bat: -------------------------------------------------------------------------------- 1 | adb shell su -c setenforce 0 2 | adb push inject /data/local/tmp 3 | adb push libhello.so /data/local/tmp 4 | adb shell chmod 777 /data/local/tmp/inject 5 | adb shell chmod 777 /data/local/tmp/libhello.so 6 | adb shell su -c /data/local/tmp/inject com.x51.demoapp 7 | pause -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # droidsoject 2 | android应用安全测试时用到的so注入工具. 3 | binary for android process injection testing. 4 | 5 | ## 示例 6 | ![avatar](com.x51.demo.png) 7 | ## How to use it 8 | ```./inject com.x51.demo``` 9 | 然后重开一个cmd窗口:```logcat -s "INJECT"``` 10 | 注入成功样例日志: 11 | ```D/INJECT ( 3738): [+] Calling dlclose in target process. 12 | D/INJECT ( 3738): [+] Target process returned from dlclose, return value=0, pc=b6f590bc 13 | E/WakeLock( 1893): GCM_HB_ALARM release without a matched acquire! 14 | D/INJECT ( 3933): [+] Injecting process: 3719 15 | D/INJECT ( 3933): [+] get_remote_addr: local[b6f2a000], remote[b6f58000] 16 | D/INJECT ( 3933): [+] Remote mmap address: b6f6ab25 17 | D/INJECT ( 3933): [+] Calling mmap in target process. 18 | D/INJECT ( 3933): [+] Target process returned from mmap, return value=8cd4c000, pc=0 19 | D/INJECT ( 3933): [+] get_remote_addr: local[b6f8d000], remote[b6fc6000] 20 | D/INJECT ( 3933): [+] get_remote_addr: local[b6f8d000], remote[b6fc6000] 21 | D/INJECT ( 3933): [+] get_remote_addr: local[b6f8d000], remote[b6fc6000] 22 | D/INJECT ( 3933): [+] get_remote_addr: local[b6f8d000], remote[b6fc6000] 23 | D/INJECT ( 3933): [+] Get imports: dlopen: b6fc6f11, dlsym: b6fc6e61, dlclose: b6fc6ddd, dlerror: b6fc6d8d 24 | D/INJECT ( 3933): [+] Calling dlopen in target process. 25 | D/INJECT ( 3933): [+] Target process returned from dlopen, return value=90c805b8, pc=0 26 | D/INJECT ( 3933): [+] Calling dlsym in target process. 27 | D/INJECT ( 3933): [+] Target process returned from dlsym, return value=8d665c5d, pc=0 28 | D/INJECT ( 3933): hook_entry_addr = 0x8d665c5d 29 | D/INJECT ( 3933): [+] Calling hook_entry in target process. 30 | D/DEBUG ( 3719): Hook Success, getpid = 3719 31 | D/DEBUG ( 3719): Hello x51 32 | D/DEBUG ( 3719): You can inject some evil code here. 33 | D/INJECT ( 3933): [+] Target process returned from hook_entry, return value=0, pc=0 34 | ``` 35 | 查看目标进程mmap分布 36 | ![avatar](mmap.png) 37 | ## Quick Start(Windows) 38 | ```quickstart.bat``` 39 | ```adb shell su -c setenforce 0 40 | adb push inject /data/local/tmp 41 | adb push libhello.so /data/local/tmp 42 | adb shell chmod 777 /data/local/tmp/inject 43 | adb shell chmod 777 /data/local/tmp/libhello.so 44 | adb shell su -c /data/local/tmp/inject com.x51.demoapp 45 | pause 46 | ``` 47 | ## Notice 48 | 1、乙方Android测试工具之一 49 | 2、libhello.so的路径在inject中写死了,```/data/local/tmp/libhello.so```,可以改但没必要. 50 | ## 参考 51 | https://blog.csdn.net/jinzhuojun/article/details/9900105 52 | https://bbs.pediy.com/thread-141355.htm 53 | --------------------------------------------------------------------------------