Skip to content

MJx0/AndKittyInjector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
AndKittyInjector
AndKittyInjector
 
 
KittyMemoryEx @ 3de4357
KittyMemoryEx @ 3de4357
 
 
testlib
testlib
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

AndKittyInjector

Android shared library injector based on ptrace with help of KittyMemoryEx.

Requires C++17 or above.
Inject from /data for Android

Support:

  • Tested on Android 5.0 ~ 16
  • ABI arm, arm64, x86, x86_64
  • Inject emulated arm64 & arm32 via libhoudini.so or libndk_translation.so
  • Inject multiple libs at once
  • Bypass android linker namespace restrictions
  • memfd dlopen support
  • Watch app launch and inject
  • Auto launch app and inject
  • Inject on dlopen breakpoint
  • Inject & Unload lib after entry point execution
  • Hide lib segments from /maps
  • Hide lib from native or emu linker solist ( dladdr & dl_iterate_phdr )

How to use:

Make sure to chmod +x or 755

Usage: AndKittyInjector [--help] [--version] --package <Name> --libs <Paths>... [--launch] [--watch] [--bp] [--delay <Micros>] [--memfd] [--free] [--hide]

Optional arguments:
  -h, --help        shows help message and exits 
  -v, --version     prints version information and exits 
  --package <Name>  Target package name to inject into. [required]
  --libs            Libraries path to be injected. [nargs: 1 or more] [required]
  --launch          Launch process and inject. 
  --watch           Monitor process start then inject. 
  --bp              Inject after breakpoint hit. 
  --delay <Micros>  Delay injection in microseconds. 
  --memfd           Use memfd dlopen. 
  --free            Unload library after entry point execution. 
  --hide            Remove soinfo and remap library to anonymouse memory.

Example:

# launching app and injecting 2 libs with 1 second delay
./AndKittyInjector --package com.target.package --libs path/to/lib1 path/to/lib2 --memfd --launch --delay 1000000

Notes:

  • Do not start a thread in library constructor, instead use JNI_OnLoad:
extern "C" jint JNIEXPORT JNI_OnLoad(JavaVM* vm, void *key)
{
    // key 1337 is passed by injector
    if (key != (void*)1337)
        return JNI_VERSION_1_6;

    KITTY_LOGI("JNI_OnLoad called by injector.");

    JNIEnv *env = nullptr;
    if (vm->GetEnv((void**)&env, JNI_VERSION_1_6) == JNI_OK)
    {
        KITTY_LOGI("JavaEnv: %p.", env);
        // ...
    }
    
    std::thread(thread_function).detach();
    
    return JNI_VERSION_1_6;
}

  • When using --launch or --watch to inject as soon as the target app launches, you may need to use --bp or --delay as well, especially when injecting emulated lib.

  • If injection fails, target app will be force stopped.

Compile:

  • Make sure to have NDK, cmake and make installed and added to OS environment path.
  • Set NDK_HOME to point to NDK folder
git clone --recursive https://github.com/MJx0/AndKittyInjector.git
cd AndKittyInjector/AndKittyInjector
ndk-build.bat

Credits:

arminject

injectvm-binderjack

TinyInjector

am_proc_start

About

Inject a shared library into a process using ptrace

Topics

android linux reverse-engineering injector ptrace

Resources

Readme

License

MIT license
Activity

Stars

279 stars

Watchers

5 watching

Forks

89 forks
Report repository

Releases 12

v5.0.0 Latest
Feb 21, 2026
+ 11 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages