From 872ba693a1ccf8d3680d7516d3bb7e241ea9bcb4 Mon Sep 17 00:00:00 2001 From: ThePedroo Date: Tue, 15 Jul 2025 03:41:48 -0300 Subject: [PATCH] remove: futile maps hiding This commit removes the maps hiding, as it not only breaks behavior compatibility with Magisk Zygisk (original), but also can break some modules because of that. It doesn't provide any improved hiding in slightly better detections and makes the codebase more complex. --- loader/src/injector/entry.cpp | 2 +- loader/src/injector/hook.cpp | 42 ++++------------------------------ loader/src/injector/zygisk.hpp | 2 +- 3 files changed, 6 insertions(+), 40 deletions(-) diff --git a/loader/src/injector/entry.cpp b/loader/src/injector/entry.cpp index 295db9f..0a6796e 100644 --- a/loader/src/injector/entry.cpp +++ b/loader/src/injector/entry.cpp @@ -24,6 +24,6 @@ void entry(void* addr, size_t size, const char* path) { hook_functions(); void *module_addrs[1] = { addr }; - clean_trace(path, module_addrs, 1, 1, 0, false); + clean_trace(path, module_addrs, 1, 1, 0); send_seccomp_event(); } diff --git a/loader/src/injector/hook.cpp b/loader/src/injector/hook.cpp index 891dcd1..50fd156 100644 --- a/loader/src/injector/hook.cpp +++ b/loader/src/injector/hook.cpp @@ -680,7 +680,7 @@ void ZygiskContext::run_modules_post() { module_addrs[i++] = m.getEntry(); } - clean_trace("/data/adb", module_addrs, modules.size(), modules.size(), modules_unloaded, true); + clean_trace("/data/adb", module_addrs, modules.size(), modules.size(), modules_unloaded); } } @@ -934,53 +934,19 @@ static void hook_register(dev_t dev, ino_t inode, const char *symbol, void *new_ PLT_HOOK_REGISTER_SYM(DEV, INODE, #NAME, NAME) /* INFO: module_addrs_length is always the same as "load" */ -void clean_trace(const char *path, void **module_addrs, size_t module_addrs_length, size_t load, size_t unload, bool spoof_maps) { +void clean_trace(const char *path, void **module_addrs, size_t module_addrs_length, size_t load, size_t unload) { LOGD("cleaning trace for path %s", path); if (load > 0 || unload > 0) solist_reset_counters(load, unload); LOGD("Dropping solist record for %s", path); - bool any_dropped = false; for (size_t i = 0; i < module_addrs_length; i++) { - bool local_any_dropped = solist_drop_so_path(module_addrs[i]); - if (!local_any_dropped) continue; - - any_dropped = true; + bool has_dropped = solist_drop_so_path(module_addrs[i]); + if (!has_dropped) continue; LOGD("Dropped solist record for %p", module_addrs[i]); } - - if (!any_dropped || !spoof_maps) return; - - LOGD("spoofing virtual maps for %s", path); - - /* INFO: Spoofing maps names is futile, after all it will - still show up in /proc/self/(s)maps but with a - different name, however still detectable by - checking the permissions. This, however, avoids - just checking for "zygisk". */ - - /* TODO: Use SoList to map through libraries to avoid open /proc/self/maps here */ - for (auto &map : lsplt::MapInfo::Scan()) { - if (strstr(map.path.c_str(), path) && strstr(map.path.c_str(), "libzygisk") == 0) - { - void *addr = (void *)map.start; - size_t size = map.end - map.start; - void *copy = mmap(nullptr, size, PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1, 0); - if (copy == MAP_FAILED) { - LOGE("failed to backup block %s [%p, %p]", map.path.c_str(), addr, (void*)map.end); - continue; - } - - if ((map.perms & PROT_READ) == 0) { - mprotect(addr, size, PROT_READ); - } - memcpy(copy, addr, size); - mprotect(copy, size, map.perms); - mremap(copy, size, size, MREMAP_MAYMOVE | MREMAP_FIXED, addr); - } - } } void hook_functions() { diff --git a/loader/src/injector/zygisk.hpp b/loader/src/injector/zygisk.hpp index 4b82768..4fde442 100644 --- a/loader/src/injector/zygisk.hpp +++ b/loader/src/injector/zygisk.hpp @@ -7,6 +7,6 @@ extern size_t block_size; void hook_functions(); -void clean_trace(const char *path, void **module_addrs, size_t module_addrs_length, size_t load, size_t unload, bool spoof_maps); +void clean_trace(const char *path, void **module_addrs, size_t module_addrs_length, size_t load, size_t unload); extern "C" void send_seccomp_event();