0

Riru

通过替换 libmemtrack 注入 zygote 进程。「Inject zygote process by replace libmemtrack.」

Github repo
Main metrics

Github stars Tracking Chart

Riru

Riru 是一个非常简单但有用的东西。只需要替换一个系统文件,就可以让 Riru 模块在应用程序或系统服务器的进程中运行它们的代码。

Riru 这个名字来自一个角色。(https://www.pixiv.net/member_illust.php?mode=medium&illust_id=74128856)

要求

  • Rooted Android 6.0+ 设备
  • Magisk (用于替换系统文件,暂时仅提供 Magisk zip)

它是如何运作的?

简而言之,替换将由zygote进程加载的共享库。

首先,我们需要找到那个库。这个库需要尽可能简单,所以我们找到了 libmemtrack,它只有10个导出函数。然后我们可以提供一个名为 libmemtrack 的库,其中包括所有函数,这样功能就不会受到影响,而且我们可以在 zygote 过程中进行。(但是,现在选择 libmemtrack 似乎不太合适)。

接下来的问题是,如何知道我们是处于应用程序进程中还是系统服务器进程中。我们发现在“fork”应用程序或系统服务器时,将调用一些JNI函数(com.android.internal.os.Zygote#nativeForkAndSpecializecom.android.internal.os.Zygote#nativeForkSystemServer)。 因此,我们只需要将这些功能替换为我们的功能即可。这部分很简单,只需“hook” jniRegisterNativeMethods,因为 libandroid_runtime 中的所有 Java 本机方法都已使用此函数注册。然后,我们可以再次调用 RegisterNatives 来替换它们。

为什么是 Riru?

只有一个 libmemtrack.so,因此,如果有人想通过替换它来做某事,其他人则不能。因此,我让 Riru 占用了 libmemtrack,但提供了制作模块的能力。

构建

从 Android Studio 或命令行运行 gradle task :module:assembleRelease,zip 将被保存到 out

安装

在 Magisk 管理器中安装 zip。

生成你自己的模块

View template

Main metrics

Overview
Name With OwnerRikkaApps/Riru
Primary LanguageC++
Program languageShell (Language Count: 5)
PlatformAndroid
License:
所有者活动
Created At2018-08-20 11:10:27
Pushed At2023-12-24 09:16:43
Last Commit At2023-12-24 17:16:42
Release Count80
Last Release Namev26.1.7 (Posted on )
First Release Namev2 (Posted on )
用户参与
Stargazers Count5.1k
Watchers Count195
Fork Count591
Commits Count533
Has Issues Enabled
Issues Count257
Issue Open Count1
Pull Requests Count39
Pull Requests Open Count0
Pull Requests Close Count8
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private

Riru

Riru is a very simple but useful thing. Only requires to replace one system file, it will provide the ability to Riru modules to run their code in apps' or system server's process.

The name Riru comes from a character. (https://www.pixiv.net/member_illust.php?mode=medium&illust_id=74128856)

Requirements

  • Rooted Android 6.0+ devices
  • Magisk (use to replace system files, temporarily only provide Magisk zip)

How it works?

In short, replace a shared library which will be loaded by the zygote process.

First, we need to find that library. The library needs to be as simple as possible, so we found libmemtrack, with only 10 exported functions.
Then we can provide a library named libmemtrack with all its functions, so the functionality will not be affected and we will able to in the zygote process. (However, it seems that choose libmemtrack is not so appropriate now)

Now the next question, how to know if we are in an app process or a system server process.
We found some JNI functions (com.android.internal.os.Zygote#nativeForkAndSpecialize & com.android.internal.os.Zygote#nativeForkSystemServer) will be called when a app or system server is forked.
So we just need to replace these functions to ours. This part is simple, just hook jniRegisterNativeMethods since all Java native method in libandroid_runtime is registered with this function.
Then we can call RegisterNatives again to replace them.

Why Riru is made?

There is only one libmemtrack.so, if someone wants to do something by replacing it, others can't. So I made Riru occupy libmemtrack but provide the ability to make modules.

Build

Run gradle task :module:assembleRelease task from Android Studio or command line, zip will be saved to out.

Install

Install zip in Magisk Manager.

Create your own module

View template