-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zygisk & ZygiskNext are detected by Appdome, SingPass #24
Comments
Both detections are caused by ZygiskNext. It's not a bug. |
I was hoping for more information as to why, if we are exhaustively hiding everything possible? |
Some conversations had relating to this, not taking any credit ... but perhaps you can use this to help hide this particular detection:
Experienced KSU dev confirms it here:
|
Thanks for the information. One thing I've noticed is that with both ZygiskNext and Zygisk, there's always an extra read-write |
That item is libzygisk itself. It shouldn't be there if Zygisk itself is unloaded. |
This time it's not This has been on my to do list for quite a while but I'm just busy. |
I cannot reproduce it on Android 14. Also jit-cache maps can vary a lot across devices and environments. Mind posting maps with and without zygisk? |
@aviraxp Existing Zygisk implementations do something to the memfd. Could it be because they alter the file size to the module's size when they write the module to it? Both Magisk and Zygisk Next do this. The following environment will allow you to reproduce this behavior consistently:
# Zygisk disabled
$ adb shell 'su -c grep jit-cache /proc/$(pidof com.android.chrome)/maps'
56e62000-58e62000 r--s 00000000 00:01 309 /memfd:jit-cache (deleted)
58e62000-5ae62000 r-xs 02000000 00:01 309 /memfd:jit-cache (deleted)
7fcea6c00000-7fceaac00000 rw-s 00000000 00:01 309 /memfd:jit-cache (deleted)
# Zygisk enabled
$ adb shell 'su -c grep jit-cache /proc/$(pidof com.android.chrome)/maps'
56e71000-58e71000 r--s 00000000 00:01 1478 /memfd:jit-cache (deleted)
58e71000-5ae71000 r-xs 02000000 00:01 1478 /memfd:jit-cache (deleted)
7043e67db000-7043e87db000 rw-s 00000000 00:01 1478 /memfd:jit-cache (deleted)
7044395e8000-70443b5e8000 rw-s 02000000 00:01 1478 /memfd:jit-cache (deleted) For testing purposes, I've also attached the following module compiled: #include <unistd.h>
#include "zygisk.hpp"
using namespace zygisk;
class Module : public ModuleBase {
void onLoad(Api *api, JNIEnv *env) override { this->api = api; }
void preAppSpecialize(AppSpecializeArgs *args) override { api->setOption(Option::DLCLOSE_MODULE_LIBRARY); }
void preServerSpecialize(ServerSpecializeArgs *args) override { api->setOption(Option::DLCLOSE_MODULE_LIBRARY); }
Api *api;
};
REGISTER_ZYGISK_MODULE(Module) |
JIT shares dual view mapping: https://android.googlesource.com/platform/art/+/master/runtime/jit/jit_memory_region.cc#111 In theory, there should be two rw jit-cache mapping, one for non-executable code cache, and one for writable data cache. Maybe when there is no zygisk, these two sections are somehow continuous, thus we can only see one in maps. This may be due to the implementation of mmap and linker. I tested a few real devices, still cannot reliablely produce this behaviour.
|
I am far noobier when it comes to this stuff, but I am able to reproduce having this extra jit-cache entry with Zygisk installed on multiple phones. 🤔 |
It's not jit-cache, you can try with my latest artifact https://github.com/nitanmarcel/ZygiskNext/actions Also the extra jit-cache seems to be gone with LSPosed disabled |
Thanks for testing it out everyone. As @aviraxp also said, it's not consistent so I don't think it can be used for detecting Zygisk. I wasn't sure initially because I didn't have enough devices to test this behavior on. |
Actually it's gone now ~ ❱ adb shell 'su -c grep jit-cache /proc/$(pidof com.android.chrome)/maps' 18:46:07 |
yeah. i noticed something in liapp, more specifically in the PixelHunter game. It says that it detected |
Don't trust what liapp tells you. Its detection name is often wrong deliberately. |
Right, it was detecting /system/addon.d |
"2800000 ==MagiskManagerDetected" Credit goes to ApkUnpacker. Finding this proves useless though, because we don't have Magisk and I personally have all root/Sus apps hidden from this thing. Sharing incase it gets someone else thinking. Is there "heuristics" scanning yet that would detect and app that BEHAVES like Magisk Manager? 🤔 |
Maybe not |
Fixed in nitanmarcel/ZygiskFoss@3130705 Either wait for the action to finish and download the artifact or install this Zygisk-Next-v4-0.9.1.1-206-3130705-release.zip or you can build it yourself, which one makes you feel safer :) |
@privacyguy123 please test :) |
wait something is wrong xD |
We can't really fix the detection in the stock ZygiskNext since well, it's closed sourced xD so we start with little steps |
What I was getting at is that I can get this app to open across old and new versions, so we should test with the problem apps |
Hi. Could you pls clarify what is being fixed here? |
I also faced such a problem. But I'm using Magisk delta which is not open source. When injecting the zygisk module and not unloading it immediately, it is easily detected in maps files. Has anyone found a way to do this? |
Magisk Delta IS open source |
And yes, I just didn't see the code in the repository itself, so I thought it wasn't open source.... My bad) |
You can pass AppDome with Zygisk impl by ReZygisk: https://github.com/PerformanC/ReZygisk |
Describe the bug
At this point I have tried many combinations of things to beat this Appdome detection and I cannot make sense of it as installing your module beats one of their apps (Bet365 Authenticator) but not others (Kotaki Bank, Astrapay)
Steps To Reproduce
Context
I see that your module is also detected as "Futile Hide" inside Native Test v24
The text was updated successfully, but these errors were encountered: