17

I've been using a few Android apps that hook onto another process, scan its allocated memory and edit it. Obviously, I was using it to mess around with some games.

Then, it got me thinking, "How are they doing it?" I know how to get the list of currently running apps but hooking onto another process and scanning and editing the process' memory are.. Beyond my knowledge.

It seems that I'd need some kind of "root" privileges to execute code like that but I don't mind. I just want to know how these app developers did it to sate my curiosity.

So.. Assuming root privileges are enabled..

1) How can I hook onto a currently running different app?

2) How can I scan its memory regions?

3) How can I edit its memory regions?

inb4 "Have you tried googling?"

I thought about it and did a tonne of Googling (1+ hours) but no results because the words "RAM" and "memory" just gives me stuff like how to track the current app's memory allocations and whatnot. In other words, not what I am looking for.

So, I finally turned to opening a thread here.

Justin AnyhowStep
  • 1,130
  • 3
  • 12
  • 19

2 Answers2

29

Putting this here for posterity

After a fair bit of research (read, 5 days straight), as far as Linux is concerned, one may attach to a process, read its memory and detach by simply doing this:

Heavily commented for the newbies like me, uncomment and whatever if you're better

#include <sys/ptrace.h> //For ptrace()
#include <sys/wait.h>   //For waitpid()

int main () {
    int pid     = 1337; //The process id you wish to attach to
    int address = 0x13371337; //The address you wish to read in the process

    //First, attach to the process
    //All ptrace() operations that fail return -1, the exceptions are
    //PTRACE_PEEK* operations
    if (ptrace(PTRACE_ATTACH, pid, NULL, NULL) == -1) {
        //Read the value of errno for details.
        //To get a human readable, call strerror()
        //strerror(errno) <-- Returns a human readable version of the
        //error that occurred
        return 0;
    }

    //Now, attaching doesn't mean we can read the value straight away
    //We have to wait for the process to stop
    int status;
    //waitpid() returns -1 on failure
    //W.I.F, not W.T.F
    //WIFSTOPPED() returns true if the process was stopped when we attached to it
    if (waitpid(pid, &status, 0) == -1 || !WIFSTOPPED(status)) {
        //Failed, read the value of errno or strerror(errno)
        return 0;
    }

    errno = 0; //Set errno to zero
    //We are about to perform a PTRACE_PEEK* operation, it is possible that the value
    //we read at the address is -1, if so, ptrace() will return -1 EVEN THOUGH it succeeded!
    //This is why we need to 'clear' the value of errno.
    int value = ptrace(PTRACE_PEEKDATA, pid, (void*)addr, NULL);
    if (value == -1 && errno != 0) {
        //Failed, read the value of errno or strerror(errno)
        return 0;
    } else {
        //Success! Read the value
    }

    //Now, we have to detach from the process
    ptrace(PTRACE_DETACH, pid, NULL, NULL);
    return 0;
}

References:

http://linux.die.net/man/2/ptrace

http://linux.die.net/man/2/waitpid

How does this relate to editing Android app memory values?

Well, the headers for ptrace and wait exist in the Android NDK. So, to read/write an app's RAM, you will need native code in your app.

Also, ptrace() requires root privileges.

Why did it take you this long? I've never written this kind of code before.

Justin AnyhowStep
  • 1,130
  • 3
  • 12
  • 19
-7

As far as Linux is concerned, it's forbidden by kernel to modify other memory that belongs to other processes (by the way, this is why there are no viruses on Linux). What you are actually doing is editing Shared Preferences. They are written in plain text, and that means they can be edited if you have access to them(root). You can check out CheatDroid application at Play Store. Also, if you want to develop similar app yourself, you can also check this link to create your first root app. http://www.xda-developers.com/android/how-to-build-an-android-app-part-2-writing-a-root-app-xda-tv/

Marius
  • 810
  • 7
  • 20
  • 2
    Actually, I'm not. I am actually editing values found in memory. Examples include Game Killer, Game Guardian and GameCIH. These three modify the values in memory at desired addresses. – Justin AnyhowStep Apr 04 '14 at 05:44
  • No modern operating system allows one app to read other app's RAM memory. I've used GameCIH before, and can it simply changes values in SharedPreferences. – Marius Apr 04 '14 at 14:57
  • No, it isn't. I decided to reverse engineer 2 of the 3 apps since asking here seemed fruitless. What I found was that one was using a Shared Object (.so) file to run a process that did the heavy lifting while the other was using a binary with no file extension associated with it. I would assume it's also another .so file. – Justin AnyhowStep Apr 05 '14 at 12:55
  • I have yet to figure out *exactly* how they're hooking on to another app's process but it's got a lot to do with android.app.Instrumentation. I've never used that class before so I don't know the details. – Justin AnyhowStep Apr 05 '14 at 12:56
  • Also, http://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx I'd say Windows is a modern operating system and it allows one to read another process' memory. – Justin AnyhowStep Apr 05 '14 at 13:04
  • 3
    I wouldn't have downoted if the answer was "One way to do this sort of thing is to modify shared preferences", versus saying "no you can't modify other processes memory", which is false :P – Alan Wolfe Sep 29 '16 at 18:40
  • 2
    You said "No modern operating system allows one app to read other app's RAM memory." which is totally wrong, in fact almost every modern operating system (GNU/Linux, Android, Windows) allows to read and write to other app RAM data. – morsisko Jul 04 '20 at 01:04