Riru is a very simple but useful thing. Only requires to replace one system file, it will provide the ability to Riru modules to run their code in apps' or system server's process.
The name Riru coms from a charator. (https://www.pixiv.net/member_illust.php?mode=medium&illust_id=74128856)
- Rooted Android 6.0+ devices
- Magisk (use to replace system files, temporarily only provide Magisk zip)
In short, replace a shared library which will be loaded by the zygote process.
First, we need to find that library. The library needs to be as simple as possible, so we found libmemtrack, with only 10 exported functions. Then we can provide a library named libmemtrack with all its functions, so the functionality will not be affected and we will able to in the zygote process. (However, it seems that choose libmemtrack is not so appropriate now)
Now the next question, how to know if we are in an app process or a system server process.
We found some JNI functions (com.android.internal.os.Zygote#nativeForkAndSpecialize
& com.android.internal.os.Zygote#nativeForkSystemServer
) will be called when a app or system server is forked.
So we just need to replace these functions to ours. This part is simple, just hook jniRegisterNativeMethods
since all Java native method in libandroid_runtime is registered with this function.
Then we can call RegisterNatives
again to replace them.
There is only one libmemtrack.so
, if someone wants to do something by replacing it, others can't. So I made Riru occupy libmemtrack but provide the ability to make modules.
Android NDK (add the directory with ndk-build
to PATH
)
-
Magisk Module
Run
:riru-core:assembleMagiskRelease
task in the command line (usegradlew
) or Android Studio, zip will be saved torelease
- Copy
riru-module-template
and rename to your name - Change module name in
riru-your-module/jni/main/Android.mk
- Change module information in
build.gradle
- Write your code
- Run
:riru-your-module:assembleMagiskRelease
task in command line (usegradlew
) or Android Studio, zip will be saved torelease
- DO NOT overwrite
android.os.SystemProperties#native_set
in core, or your data may be wiped (Detail info) (If you really need to hook this, remember to clear exception) - DO NO print log (
__android_log_print
) innativeForkAndSpecialize(Pre/Post)
nativeForkSystemServer(Pre/Post)
when in zygote process, or it may cause zygote not work (magic not confirmed, Detail info) - Add
-ffixed-x18
to both compiler and linker parameter, or it will cause problems on Android Q (see template)
- Currently, one module version can only support one API version
- See template for details
- Add
api=4
toriru_module.prop
to declare API version - Check and deny installation if Riru version is below v19 in
config.sh
- Add
specializeAppProcessPre
specializeAppProcessPost
used by Android Q beta 3 (see template)
- Add
api=3
toriru_module.prop
to declare API version - Check and deny installation if Riru version is below v18 in
config.sh
- Parameter of
nativeForkAndSpecializePre
changes (compare to v2, addedjstring *packageName, jobjectArray *packagesForUID, jstring *sandboxId
in the end)
- Export
int getApiVersion() { return 2; }
to declare API version - Parameter of
nativeForkAndSpecializePre
changes (compare to v1, all parameter is pointer)
Current only support Magisk.
- Install core zip in Magisk
- Install module zip in Magisk
Riru-LocationReportEnabler (also a good example)