False positive when run on x86 architecture

[flikkr]

Firstly, thanks for the repo. I wanted to try and get this sample project to run on 32-bit architecture since it would just crash on older devices, so I added x86 to the list of valid ABIs in build.gradle.

...
ndk {
     abiFilters 'arm64-v8a', 'armeabi-v7a', 'x86_64', 'x86'
}
...

Because of that, all system calls using the my_ prefix are broken once we try to run in x86. After removing all the my_ prefixes from the system calls, the sample app seems to be working as expected except for the check in the detect_frida_memdiskcompare function. The logs indicate that the libc library has a mismatching checksum despite the device being clean. I encountered this issue when running the app on a Pixel 4 emulator on x86 ABI with API version 30. This checksum mismatch did not occur on different x86 emulator running on API 29. Any idea what could be causing this?

Logcat

2022-12-27 18:10:33.630 7534-7561/com.darvin.security V/DetectFrida: Map [b9c26000-b9c29000 r-xp 00000000 fd:05 49183                              /data/app/~~CdhyIBdGvW9M9-2j_yxpNg==/com.darvin.security-HX80p3_DA5ykyXtiMkYaKQ==/lib/x86/libnative-lib.so]
2022-12-27 18:10:33.630 7534-7561/com.darvin.security V/DetectFrida: Checksum:[44199][44199]
2022-12-27 18:10:33.630 7534-7561/com.darvin.security V/DetectFrida: Checksum:[494221][494221]
2022-12-27 18:10:33.630 7534-7561/com.darvin.security V/DetectFrida: Map [b9c29000-b9c2a000 r--p 00002000 fd:05 49183                              /data/app/~~CdhyIBdGvW9M9-2j_yxpNg==/com.darvin.security-HX80p3_DA5ykyXtiMkYaKQ==/lib/x86/libnative-lib.so]
2022-12-27 18:10:33.630 7534-7561/com.darvin.security V/DetectFrida: Map [b9c2a000-b9c2b000 rw-p 00003000 fd:05 49183                              /data/app/~~CdhyIBdGvW9M9-2j_yxpNg==/com.darvin.security-HX80p3_DA5ykyXtiMkYaKQ==/lib/x86/libnative-lib.so]
2022-12-27 18:10:33.806 7534-7561/com.darvin.security V/DetectFrida: Map [e5e61000-e5ea3000 r--p 00000000 07:60 17                                 /apex/com.android.runtime/lib/bionic/libc.so]
2022-12-27 18:10:33.806 7534-7561/com.darvin.security V/DetectFrida: Map [e5ea3000-e5f4f000 r-xp 00041000 07:60 17                                 /apex/com.android.runtime/lib/bionic/libc.so]
2022-12-27 18:10:33.808 7534-7561/com.darvin.security V/DetectFrida: Checksum:[67333658][67435579]
2022-12-27 18:10:33.808 7534-7561/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2022-12-27 18:10:33.808 7534-7561/com.darvin.security V/DetectFrida: Checksum:[1008449][1051236]
2022-12-27 18:10:33.809 7534-7561/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2022-12-27 18:10:33.809 7534-7561/com.darvin.security V/DetectFrida: Map [e5f4f000-e5f52000 r--p 000ec000 07:60 17                                 /apex/com.android.runtime/lib/bionic/libc.so]
2022-12-27 18:10:33.809 7534-7561/com.darvin.security V/DetectFrida: Map [e5f52000-e5f54000 rw-p 000ee000 07:60 17                                 /apex/com.android.runtime/lib/bionic/libc.so]

[darvincisec]

Hi,
This needs to be investigated. Do you see a false positive on arm32 device as well ?

[flikkr]

Hi @darvincisec, sorry for the delayed response. I tried running on arm32 device and no false positives occured. It seems like it only happens on this one emulator configuration. Tried recreating a fresh emulator with the same configuration and still getting the "Executable Section Manipulated" message.

[flikkr]

Hi @darvincisec, do you have any additional information or insights to share regarding this issue? I'm open to working on it but not sure where to start.

[sektr63a]

@flikkr Hi. Did you find a solution?

[flikkr]

@sektr63a unfortunately no

[Nastya1808]

Unfortunately this happens not only on a specific emulator. This check does not work on a wide range of devices according to our logging information. Needs to be investigated for sure.

[Nastya1808]

I have the same problem. We implemented the detect_frida_memdiskcompare check in our app and are now receiving approximately 12 million log events per week.
Top device model affected: 23028RNCAG, RMX3690, 2305EPCC4G, RMX3581, SM-A135F, RMX3231, 220733SFG, 23129RN51X, SM-A032F, SM-A105F. Most of these devices run on Cortex-A55, A57, or A53 CPUs, which are based on ARMv8.x architecture and support both aarch64 and aarch32.

I personally checked on a Samsung A13 (where the bug is reproduced), and it appears to use a 32-bit libc.so. This is the only noticeable difference compared to other devices.

I also debugged the function and the reason is that checksum of the executable section is not matching as mentioned in the connected issues. I suppose it may be connected with the system's architecture of CPUs like Cortex-A55 and A57.

Update: The process runs in a 32-bit environment too, so now I don't know. I only see that something goes wrong with the executable section range; it occurs before the beginning of the section start:
((unsigned long) buffer + pElfSectArr->offset[i]) < start.