MJx0/AndKittyInjector MJx0/AndKittyInjector

  • Stars
    star
    143
  • Rank 257,007 (Top 6 %)
  • Language
    C++
  • License
    MIT License
  • Created about 1 year ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
MJx0/AndKittyInjector
github

MJx0

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Inject a shared library into a process using ptrace

AndKittyInjector

Android shared library injector based on ptrace with help of KittyMemoryEx.

Requires C++11 or above.
Inject from /data for Android

Support:

  • Tested on Android 5.0 ~ 14
  • ABI arm, arm64, x86, x86_64
  • Inject emulated arm64 & arm32 via libhoudini.so or libndk_translation.so
  • Bypass android linker namespace restrictions
  • memfd dlopen support
  • App launch monitor
  • Hide lib segments from /maps
  • Hide lib from linker solist ( dladdr & dl_iterate_phdr )

How to use:

Make sure to chmod +x or 755

Usage: ./path/to/AndKittyInjector [-h] [-pkg] [-pid] [-lib] [ options ]

Required arguments:
   -pkg                Target app package.
   
   -lib                Library path to inject.

Optional arguments:
   -h, --help          show available arguments.
   
   -pid                Target app pid.
   
   -dl_memfd           Use memfd_create & dlopen_ext to inject library, useful to bypass path restrictions.

   -hide_maps          Try to hide lib segments from /proc/[pid]/maps.

   -hide_solist        Try to remove lib from linker or NativeBridge solist.
   
   -watch              Monitor process launch then inject, useful if you want to inject as fast as possible.
   
   -delay              Set a delay in microseconds before injecting.

Notes:

  • Do not start a thread in library constructor, instead use JNI_OnLoad:
extern "C" jint JNIEXPORT JNI_OnLoad(JavaVM* vm, void *key)
{
    // key 1337 is passed by injector
    if (key != (void*)1337)
        return JNI_VERSION_1_6;

    KITTY_LOGI("JNI_OnLoad called by injector.");

    JNIEnv *env = nullptr;
    if (vm->GetEnv((void**)&env, JNI_VERSION_1_6) == JNI_OK)
    {
        KITTY_LOGI("JavaEnv: %p.", env);
        // ...
    }
    
    std::thread(thread_function).detach();
    
    return JNI_VERSION_1_6;
}

  • When using -watch to inject as soon as the target app launches, you may need to use -delay as well, especially when injecting emulated lib.

  • When using -dl_memfd and it fails then legacy dlopen will be called.

Compile:

  • Make sure to have NDK, cmake and make installed and added to OS environment path.
  • Set NDK_HOME to point to NDK folder
  • You can check both ndk-build.bat and cmake-build.bat
git clone --recursive https://github.com/MJx0/AndKittyInjector.git
cd AndKittyInjector/AndKittyInjector
ndk-build.bat

Credits:

arminject

injectvm-binderjack

TinyInjector

am_proc_start

More Repositories

1

KittyMemory

This library aims for runtime code patching for both Android and iOS
C++
322
star
2

iOS_UE4Dumper

MobileSubstrate tweak to dump iOS UE4 games
C++
186
star
3

AndUE4Dumper

Android UE4 Dumper Tool
C++
141
star
4

KittyMemoryEx

Dedicated library for runtime code patching, injection and some useful memory utilities. works for both Android and Linux
C++
79
star
5

InputMsgCapture

Capture input events of any android application
C++
34
star