Forem: Jack Sparrow The latest articles on Forem by Jack Sparrow (@jack_sparrow_2386c07e8b94). https://forem.com/jack_sparrow_2386c07e8b94 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3603086%2F3f3dbe26-6719-4fa7-857e-6233515cb9e7.jpg Forem: Jack Sparrow https://forem.com/jack_sparrow_2386c07e8b94 en Stealth Inline Hook Detection via LR Return Address Jack Sparrow Sat, 13 Dec 2025 03:15:49 +0000 https://forem.com/jack_sparrow_2386c07e8b94/stealth-inline-hook-detection-via-lr-return-address-52c5 https://forem.com/jack_sparrow_2386c07e8b94/stealth-inline-hook-detection-via-lr-return-address-52c5 <h2> 1. Background: Why Traditional Inline Hook Detection Fails </h2> <p>Inline hook detection on Android commonly relies on:</p> <ol> <li><p><strong>CRC or code hash verification</strong></p></li> <li><p><strong>Comparing function prologue bytes</strong> (e.g., detecting LDR/BR trampolines)</p></li> </ol> <p>However, these methods have major weaknesses:</p> <ul> <li><p>They <strong>read code pages</strong>, which makes them easily traceable with memory breakpoints.</p></li> <li><p>Attackers can hook the detection function itself.</p></li> <li><p>Their “signatures” are well known and easy to bypass.</p></li> </ul> <p>Thus they are <strong>visible</strong> and <strong>high-risk</strong> in real offensive–defensive scenarios.</p> <h2> 2. Core Idea: Detecting Hooks via the LR (Return Address) </h2> <p>This article introduces a <strong>stealth and cross-platform</strong> method that doesn't read any instructions, doesn't scan memory, and is extremely difficult for Frida to bypass.</p> <h3> ✔ Why LR works </h3> <p>Inline hook frameworks (Frida, Dobby, xhook, etc.) must:</p> <ul> <li><p>overwrite the <strong>LR register</strong></p></li> <li><p>redirect <code>RET</code> to a trampoline stored in a custom allocated memory page (not inside the original module)</p></li> </ul> <p>Thus:</p> <h3> ➜ <strong>If a function’s LR is outside its module’s memory range → it is inline-hooked.</strong> </h3> <p>This approach:</p> <ul> <li><p>Does not read <code>.text</code> code section</p></li> <li><p>Cannot be traced via hardware breakpoints</p></li> <li><p>Works on ARM64 and x86_64</p></li> </ul> <h2> 3. Detection Pipeline </h2> <h3> Step 1 — Retrieve current module range </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>static uint64_t g_begin = 0; static uint64_t g_end = 0; __attribute__((constructor)) static void init_module_range() { Dl_info info; if (dladdr((void*)init_module_range, &amp;info)) { g_begin = (uint64_t)info.dli_fbase; g_end = g_begin + get_module_size(info.dli_fname); } } </code></pre> </div> <h3> Step 2 — Read LR via ARM64 inline assembly </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>__attribute__((alwaysinline)) uint64_t get_lr() { uint64_t lr; asm volatile( "mov x10, x29 \n" "ldr %0, [x10, #8]\n" : "=r"(lr) : : "x10" ); return lr; } </code></pre> </div> <h3> Step 3 — Detect inline hook </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>void check_inline_hook() { uint64_t lr = get_lr(); if (lr &lt; g_begin || lr &gt; g_end) { LOGD("[!] Inline-hook detected. lr = %llx", lr); } else { LOGD("[+] Function not hooked."); } } </code></pre> </div> <h2> 4. Advanced Protection: Stack Corruption &amp; Anti-Analysis </h2> <p>To make debugging nearly impossible:</p> <ol> <li><p>detect hook</p></li> <li><p>overwrite stack (FP → FP+2048)</p></li> <li><p>jump to an invalid address<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>void anti_debug_crash() { uint64_t fp; asm volatile("mov %0, x29" : "=r"(fp)); memset((void*)fp, 0xCC, 2048); ((void(*)())0x12345678)(); } </code></pre> </div> <p>This destroys stack traces and prevents reverse engineering of your protection logic.</p> <h2> 5. Conclusion </h2> <p>This LR-based inline hook detection method:</p> <ul> <li><p>does not read code pages</p></li> <li><p>is nearly breakpoint-proof</p></li> <li><p>detects Frida, Dobby, xhook, and other trampoline mechanisms</p></li> <li><p>works on Android and Windows</p></li> </ul> <p>It offers a new direction for mobile security, anti-cheat systems, and runtime protection.</p> <p>I’m H.<br> Six years deep in Android reversing.<br> Is this sword sharp today?<br> — H</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mxncebnkbrdy02pu05w.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5mxncebnkbrdy02pu05w.jpg" alt="Image description style=" width="784" height="1168"></a></p> android security inlinehook detection You Thought Frida Was Stealth When Not Attached? Dirty Pages Beg to Differ Jack Sparrow Wed, 03 Dec 2025 14:31:37 +0000 https://forem.com/jack_sparrow_2386c07e8b94/you-thought-frida-was-stealth-when-not-attached-dirty-pages-beg-to-differ-8f6 https://forem.com/jack_sparrow_2386c07e8b94/you-thought-frida-was-stealth-when-not-attached-dirty-pages-beg-to-differ-8f6 <p>All the classic Frida checks in 2025 — maps, thread names, CRC, ports — are dead.<br><br> Today I’m dropping the one that still kills 99 % of setups: <strong>Dirty-Page Detection</strong>.</p> <p>Key point: <strong>As long as frida-server is running on the device — even if it never attaches to your app — you can detect it globally.</strong></p> <h3> Why Dirty-Page Detection Is Almost Unbypassable </h3> <p>To listen for zygote forks and signals, frida-server inline-hooks three critical modules inside <strong>system_server</strong>:</p> <ul> <li>libc.so</li> <li>libselinux.so</li> <li>libandroid_runtime.so</li> </ul> <p>Inline-hooking the read-only .text section triggers <strong>Copy-On-Write</strong>.<br><br> The original file-backed pages become <strong>private dirty pages</strong>.<br><br> Even if Frida later restores the original bytes in the on_leave callback, the pages stay private forever.</p> <p>That’s the permanent fingerprint we hunt.</p> <h3> Method 1 – smaps file detection </h3> <p>Sample code is used to demonstrate the thought process.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">re</span> <span class="k">def</span> <span class="nf">frida_detected_smaps</span><span class="p">():</span> <span class="n">targets</span> <span class="o">=</span> <span class="p">[</span><span class="sh">'</span><span class="s">libc.so</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">libselinux.so</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">libandroid_runtime.so</span><span class="sh">'</span><span class="p">]</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">/proc/self/smaps</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">smaps</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">for</span> <span class="n">lib</span> <span class="ow">in</span> <span class="n">targets</span><span class="p">:</span> <span class="c1"># Find the library mapping </span> <span class="n">pos</span> <span class="o">=</span> <span class="n">smaps</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="n">lib</span><span class="p">)</span> <span class="k">if</span> <span class="n">pos</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> <span class="k">continue</span> <span class="n">segment</span> <span class="o">=</span> <span class="n">smaps</span><span class="p">[</span><span class="n">pos</span><span class="p">:</span><span class="n">pos</span><span class="o">+</span><span class="mi">800</span><span class="p">]</span> <span class="c1"># Private_Dirty &gt; 0 → COW happened → Frida was here </span> <span class="k">if</span> <span class="sh">'</span><span class="s">Private_Dirty:</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">segment</span><span class="p">:</span> <span class="n">dirty</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">Private_Dirty:\s+(\d+)</span><span class="sh">'</span><span class="p">,</span> <span class="n">segment</span><span class="p">)</span> <span class="k">if</span> <span class="n">dirty</span> <span class="ow">and</span> <span class="nf">int</span><span class="p">(</span><span class="n">dirty</span><span class="p">.</span><span class="nf">group</span><span class="p">(</span><span class="mi">1</span><span class="p">))</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">return</span> <span class="bp">False</span> </code></pre> </div> <h3> Method 2 – pagemap (nuclear option, bit 61) </h3> <p>Linux pagemap entry (64 bit):bit 63 → page present<br><br> bit 61 → soft-dirty (set on COW)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">struct</span><span class="p">,</span> <span class="n">ctypes</span> <span class="k">def</span> <span class="nf">page_is_dirty</span><span class="p">(</span><span class="n">vaddr</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="sh">'</span><span class="s">/proc/self/pagemap</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">rb</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">((</span><span class="n">vaddr</span> <span class="o">//</span> <span class="mi">4096</span><span class="p">)</span> <span class="o">*</span> <span class="mi">8</span><span class="p">)</span> <span class="n">entry</span> <span class="o">=</span> <span class="n">struct</span><span class="p">.</span><span class="nf">unpack</span><span class="p">(</span><span class="sh">'</span><span class="s">Q</span><span class="sh">'</span><span class="p">,</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">8</span><span class="p">))[</span><span class="mi">0</span><span class="p">]</span> <span class="n">present</span> <span class="o">=</span> <span class="p">(</span><span class="n">entry</span> <span class="o">&gt;&gt;</span> <span class="mi">63</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mi">1</span> <span class="n">soft_dirty</span> <span class="o">=</span> <span class="p">(</span><span class="n">entry</span> <span class="o">&gt;&gt;</span> <span class="mi">61</span><span class="p">)</span> <span class="o">&amp;</span> <span class="mi">1</span> <span class="c1"># ← this is the killer bit </span> <span class="k">return</span> <span class="n">present</span> <span class="o">==</span> <span class="mi">1</span> <span class="ow">and</span> <span class="n">soft_dirty</span> <span class="o">==</span> <span class="mi">1</span> <span class="c1"># Example: check fork() </span><span class="n">libc</span> <span class="o">=</span> <span class="n">ctypes</span><span class="p">.</span><span class="nc">CDLL</span><span class="p">(</span><span class="sh">'</span><span class="s">libc.so</span><span class="sh">'</span><span class="p">)</span> <span class="n">fork_addr</span> <span class="o">=</span> <span class="n">ctypes</span><span class="p">.</span><span class="nf">cast</span><span class="p">(</span><span class="n">libc</span><span class="p">.</span><span class="n">fork</span><span class="p">,</span> <span class="n">ctypes</span><span class="p">.</span><span class="n">c_void_p</span><span class="p">).</span><span class="n">value</span> <span class="nf">print</span><span class="p">(</span><span class="nf">page_is_dirty</span><span class="p">(</span><span class="n">fork_addr</span><span class="p">))</span> <span class="c1"># True → Frida present # you can add more function for detection, such as : vfork/opendir/abort/closedir/close/signal/sigaction/exit </span></code></pre> </div> <h1> Bottom LineIn </h1> <p>2025, if you’re still checking /proc/self/maps or thread names, you’re fighting 2022 battles.<br> Dirty-page detection is the current meta.</p> <p>I’m H.<br> Six years deep in Android reversing.<br> The real game has just started.<br> — H</p> frida android security detection