/Demo

A demo app to detect (ReZygisk) library injections

Primary LanguageC++GNU General Public License v3.0GPL-3.0

Detecting library injection in memory

Detection using solist

In Bionic linker, the soinfo structure has a field next, which points to the next loaded library in a linked list consisting of all loaded libraries.

Hence, an injected application can easily find all loaded libraries.

Detection criteria

The following cases are considered as injections:

  1. some soinfo object has empty pathname;
  2. the linked list of all soinfo has gaps between elements, and such gap appears before specializeAppProcess.

Detection using virtual maps

See blog Android 用户态注入隐藏已死.

State of bypassing current test