Riru only does one thing, inject into zygote in order to allow modules run their codes in apps or the system server.
The name, Riru, comes from a character. (https://www.pixiv.net/member_illust.php?mode=medium&illust_id=74128856)
Android 6.0+ devices rooted with Magisk
-
Automatically
- Search "Riru" in Magisk Manager
- Install the module named "Riru"
-
Manually
- Download the zip from GitHub release
- Install in Magisk Manager (Modules - Install from storage - Select downloaded zip)
- When the file
/data/adb/riru/disable
exists, Riru will do nothing - When the file
/data/adb/riru/enable_hide
exists, the hide mechanism will be enabled (also requires the support of the modules)
-
How to inject into zygote process?
Before v22.0, we use the method of replacing a system library (libmemtrack) that will be loaded by zygote. However, it seems to cause some weird problems. Maybe because libmemtrack is used by something else.
Then we found a super easy way, the "native bridge" (
ro.dalvik.vm.native.bridge
). The specific "so" file will be automatically "dlopen-ed" and "dlclose-ed" by the system. This way is from here. -
How to know if we are in an app process or a system server process?
Some JNI functions (
com.android.internal.os.Zygote#nativeForkAndSpecialize
&com.android.internal.os.Zygote#nativeForkSystemServer
) is to fork the app process or the system server process. So we need to replace these functions to ours. This part is simple, hookjniRegisterNativeMethods
since all Java native methods inlibandroid_runtime.so
is registered through this function. Then we can call the originaljniRegisterNativeMethods
again to replace them.
From v22.0, Riru provide a hide mechanism (idea from Haruue Icymoon), make the memory of Riru and module to anonymous memory to hide from "/proc/maps
string scanning".
-
The device reboots after zygote is dead
For hide purpose,
ro.dalvik.vm.native.bridge
is reset after zygote starts. If zygote is dead, we can setro.dalvik.vm.native.bridge
back but can't guarantee it's before zygote starts. So reboot the device maybe the only solution.If you relies on the original behavior, you can remove
/data/adb/riru/bin/rirud.dex
.
Android Studio (at least until 4.2 Canary 13) can't correctly handle local module using prefab, you may have to manually run ":riru:assembleDebug" to make Android Studio happy
Run gradle task :riru:assembleRelease
:core:assembleRelease
task from Android Studio or the terminal, zip will be saved to out
.
https://github.com/RikkaApps/Riru-ModuleTemplate
https://github.com/RikkaApps/Riru-ModuleTemplate/blob/master/README.md#api-changes