In Bionic linker, the soinfo structure has a field next, which points to the next loaded library in a linked list consisting of all loaded libraries.
Hence, an injected application can easily find all loaded libraries.
The following cases are considered as injections:
- some
soinfoobject has empty pathname; - the linked list of all
soinfohas gaps between elements, and such gap appears before specializeAppProcess.
See blog Android 用户态注入隐藏已死.
A call to dlclose will increase the counter g_module_unload_counter.
This detection highly depends on Android OS and vendor customization, which is shown to be false positive on Samsung and OnePlus.
- Zygisk of Magisk
- ZygiskNext
- ReZygisk (fixed by JingMatrix in PerformanC/ReZygisk#101)