Manual library path injection via LD_LIBRARY_PATH has become unreliable due to symbol mismatches in core libraries (e.g., `libc++`) between the system and APEX partitions. Recent updates to `liblog` and `libbase` (in Android 16) have resulted in missing symbols like `__hash_memory` or `fmt` when the ART APEX binaries are forced to load system-partition shims.
This commit switches the wrapper to execute the runtime APEX linker directly (e.g., `/apex/com.android.runtime/bin/linker64`). By passing the dex2oat binary to the linker via `/proc/self/fd/`, the linker can properly initialize internal namespaces and resolve dependencies from the correct APEX and bootstrap locations.
Moreover, for the OatHeader hook, a bug introduced in 6703b45350 is now fixed, where the target functions of PLT hooks are overwritten by the our helper functions.
Details of the refactored project are explained in README.
User reports that system server injection can still fail even when the daemon is started in service mode.
Hence, we add argument `--system-server-max-retry=3` to address this problem.
This reverts partially commit c622d0f1f9.
In my test device (Pixel 6, Android 16 qpr2, KernelSU), calling twice LSPosed daemon results a detection based on `mount_id` values. In `com.reveny.nativecheck` 7.6.1, it is named as `Detected Magic Mount`.
Of course, this naming is incorrect and misleading. We refer to https://github.com/JingMatrix/NeoZygisk/pull/39 for details of this detection point.
For trace cleaning modules to work properly, such as the DenyList feature of NeoZygisk, it is better to execute modules mount (`dex2oat` for the case of LSPosed) at post-fs-data.sh.
Moreover, the `logd` daemon of LSPosed should start as early as possible.
This reverts commit 92cbed418e (pull-request #57).
The original pull-request claimed a `PlayIntegrityFix` break, but was not reproducible on other devices.
Having a WebUI simply duplicating the current function of the Action button is unnecessary.
Since most users are migrated to root implementations which realize the Action button feature, we revert commit f8409ad34b to remove the WebUI integration of LSPosed.
1. Magisk manager cuts off the full changelog, it is thus better to move my personal note to the end. Add emoji for easier understanding.
2. Fix locating the generated javascript file. In Parcel 2, this file now has prefix `generate`.
3. Fix the author name, use JingMatrix for accuracy.
On some devices `dex2oat` cannot access files (fd) received from sockets due to SELinux restrictions.
Hence, we add a new rule according to the avc logs, which showed that permissions `open` and `getattr` were needed.
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`.
2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference.
3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux.
4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
1. Set log buffer size for system
2. Increase buffer size to 128 Kb
3. Record also logs for APatch, KernelSU and SELinux
4. Add installation tasks for APatch
With inline hook, we no longer need to scan process virtual maps.
Moreover, I can no longer justify the point 3 stated in commit
156c6ae855 by experiments, which is
mysterious given my previous experiments done for the commit
3c020a9cd7.
Currently, only one thing is sure: reading `/proc/self/map` can be
detected by Holmes. Hence, it is always a good practice to not inject
unnecessary codes during the preAppSpecialize API.
* Fix warnings of CMake
To completely remove CMake version warnings, one may need to change the CMakeLists.txt file in the NDK installation.
* Add compiler flag -Wpedantic
Show compilation errors for the core subject, while ignore some of them
Moreover, we may need to abandon PLT hooks in the future.
Currently, there aren't many symbols found in the section .dynsym that
are hooked targets of LSPlant, and more of them are found in the .symtab
section.
In Android 16 DP1, hooked art symbols in .dynsym (thus could be hooked
using the PLT hook) are:
1. _ZN3art6mirror5Class9SetStatusENS_6HandleIS1_EENS_11ClassStatusEPNS_6ThreadE
2. _ZN3art3jit12JitCodeCache12DoCollectionEPNS_6ThreadE
, while symbols in .symtab (must be hooked using inline hook) are:
1. _ZN3art11ClassLinker22FixupStaticTrampolinesEPNS_6ThreadENS_6ObjPtrINS_6mirror5ClassEEE
2. _ZN3art11ClassLinker14RegisterNativeEPNS_6ThreadEPNS_9ArtMethodEPKv
3. _ZN3art11ClassLinker16UnregisterNativeEPNS_6ThreadEPNS_9ArtMethodE
4. _ZN3art11ClassLinker26VisiblyInitializedCallback22MarkVisiblyInitializedEPNS_6ThreadE
Hence, PLT hooks no longer provide sufficient advantages over inline
hooks. Also, we may consider using shadowhook to replace Doddy for the
arm CPU archs.
The previous commit 5da38f60a2 is not
complete since `GetArt(true)` will destroy the static SandHook::ElfImg
object.
Since in the previous two commits we have postponed the initialization
of LSPlant, we can now keep the symbol cache of `libart` for the
InitArtHooker call in method `OnNativeForkSystemServerPost`. Symbol
cache works because we are using local static object in the function
`GetArt`, whose life-cycle is not constraint by the function block.
Current commit will restore the modifications 1,4 in the previous
commit 156c6ae855. Thanks for people in
the community, @privacyguy123, @aviraxp and @HuskyDG, just to name a
few, to notice my sever mistakes.
Those mistakes are mainly caused by my inconsistent usage of testing
environments. I wrongly compared the detecting results with different
`Zygisk` implementations and was too assertive and careless to make those
changes. Here is the explanation for reverting the previous commit:
1. `system.prop` is not extracted for Android 1O+ devices in
`customize.sh`;
2. mounting /data/resource-cache is still needed in some systems
(ColorOS, to be confirmed), and it isn't a detection point.
To verify that modifications 2,3 are effective, I tested them with `Zygisk
Next` 1.2.4 (445-031a64c-release) and `Holmes` V1.5.1 Narcissus on
`Magisk` a34c04f9 280002.
1. Avoid changing `system.prop`: there is already no need to add
system-wise `dex2oat` flags, since LSPosed provides a wrapper for it,
see https://nullptr.icu/index.php/archives/53/ for detailed
explanation;
2. Postpone initialization of LSPlant: initialization of `initInfo`
during the `onLoad` Zygisk api will change the order of parsed files
in memory, especially bring the item `libart.so` forward;
3. Close opened virtual map file: this should no longer be a problem
after the second point is applied since it is no longer opened during
`onLoad`, but let us close it as a good practice;
4. Remove /data/resource-cache mount: introduced in
https://github.com/LSPosed/LSPosed/pull/1627, most likely designed to
solve problems in early versions of root solutions and being reverted
does not change the function of deamon since we will have to wait
sufficient time in `waitSystemService` of `LSPosedService` manager.
Of course, more tests are neeeded on different devices to see if
parasitic notification manager will work as expected.
1. Starting daemon during post-fs-data can cause Play Integrity detection
for devices without the PlayIntegrityFix module.
2. Starting LSPosed service daemon in post-fs-data mode is redundant on
many devices
Currently, inline_unhooker is not used in the code.
We still fix the logic to avoid confusion.
There is no feasible way to determinate if the parameter original is a
valid function pointer or a `const char` pointer.
We suppose it as a char pointer in the first step.
Open the parasitic manager using WebUI of KernelSU / APtach.
In the future the web page could become an alternative manager,
without parasitic manager at all.
See https://github.com/mywalkb/LSPosed_mod/issues/65 for details.
Co-authored-by: mywalk <66966897+mywalkb@users.noreply.github.com>
Note that RS_SUCCESS = 0 is removed in the commit
f4643b8d14d7cc94516b446ca77d952d0b986d50
of https://github.com/jmpews/Dobby
The CMake option DOBBY_GENERATE_SHARED is removed, we use dobby_static
explicitly.
From Android 14 QPR3 and forward, the classloader of injected app (com.android.shell)
does not contain the apk manager, so in hook getClassLoader there is a new check when
it got a negative response the apk manager is injected in classloader, so parasitic
manager can start correctly.
Co-authored-by: mywalk <66966897+mywalkb@users.noreply.github.com>
1. Use JDK 21
2. Update android plugins for JDK 21
3. Update gradle wrapper
The new R8 engine will change more class names than before, we thus
need to save those needed ones.
JingMatrix
Qing_Feng
Keeperorowner
Captain Throwback
5ec1cff