AndKittyInjector

Android shared library injector based on ptrace with help of KittyMemoryEx.

Requires C++17 or above.
Inject from /data for Android

Support:

• Tested on Android 5.0 ~ 16
• ABI arm, arm64, x86, x86_64
• Inject emulated arm64 & arm32 via libhoudini.so or libndk_translation.so
• Inject multiple libs at once
• Bypass android linker namespace restrictions
• memfd dlopen support
• Watch app launch and inject
• Auto launch app and inject
• Inject on dlopen breakpoint
• Inject & Unload lib after entry point execution
• Hide lib segments from /maps
• Hide lib from native or emu linker solist ( dladdr & dl_iterate_phdr )

How to use:

Make sure to chmod +x or 755

Usage: AndKittyInjector [--help] [--version] --package <name> --libs <paths>... [--launch] [--watch] [--bp] [--delay <micros>] [--memfd] [--free] [--hide]

Optional arguments:
  -h, --help        shows help message and exits 
  -v, --version     prints version information and exits 
  --package <name>  Target package name to inject into. [required]
  --libs            Libraries path to be injected. [nargs: 1 or more] [required]
  --launch          Launch process and inject. 
  --watch           Monitor process start then inject. 
  --bp              Inject after breakpoint hit. 
  --delay <micros>  Delay injection in microseconds. 
  --memfd           Use memfd dlopen. 
  --free            Unload library after entry point execution. 
  --hide            Remove soinfo and remap library to anonymouse memory. 

Example:

# launching app and injecting 2 libs with 1 second delay
./AndKittyInjector --package com.target.package --libs path/to/lib1 path/to/lib2 --memfd --launch --delay 1000000

Notes:

• Do not start a thread in library constructor, instead use JNI_OnLoad:

extern "C" jint JNIEXPORT JNI_OnLoad(JavaVM* vm, void *key)
{
    // key 1337 is passed by injector
    if (key != (void*)1337)
        return JNI_VERSION_1_6;

    KITTY_LOGI("JNI_OnLoad called by injector.");

    JNIEnv *env = nullptr;
    if (vm->GetEnv((void**)&env, JNI_VERSION_1_6) == JNI_OK)
    {
        KITTY_LOGI("JavaEnv: %p.", env);
        // ...
    }
    
    std::thread(thread_function).detach();
    
    return JNI_VERSION_1_6;
}

• When using --launch or --watch to inject as soon as the target app launches, you may need to use --bp or --delay as well, especially when injecting emulated lib.

• If injection fails, target app will be force stopped.

Compile:

• Make sure to have NDK, cmake and make installed and added to OS environment path.
• Set NDK_HOME to point to NDK folder

git clone --recursive https://github.com/MJx0/AndKittyInjector.git
cd AndKittyInjector/AndKittyInjector
ndk-build.bat

Credits:

arminject

injectvm-binderjack

TinyInjector

am_proc_start