Skip to content

Commit 582c38a

Browse files
author
ng
committed
Update README.MD
1 parent e50d3d4 commit 582c38a

File tree

1 file changed

+27
-24
lines changed

1 file changed

+27
-24
lines changed

README.MD

Lines changed: 27 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ Since it's operating within ramdisk, this tool can bypass most root checks, inte
1111
Unlike its predecessor, this rootkit can bypass SafetyNet, since it doesn't need to modify system partition. \
1212
However, it can't bypass hardware checks, such as hardware-backed SafetyNet on newer devices.
1313

14-
The daemon launches arbitrary executable in loop, while providing cover and execution control.
14+
The daemon launches arbitrary executable from RAM, while providing cleanup, cover, and execution control.
1515
It runs silently and normally leaves no traces in _dmesg_, _logcat_, etc., unlike regular services run by _init_ in loop.
1616

1717
FURA uses SELinux to its own advantage: not only to bypass stock policy restrictions, but to hide itself from the rest of the system.
@@ -26,13 +26,14 @@ OS | Android | Boot scheme
2626
MIUI 11.0.2 | 7 | rootfs
2727
LineageOS 17.1 | 10 | 2SI
2828
LineageOS 19.0 | 12 | 2SI
29+
MIUI 14.0.2 | 12 | 2SI
2930

3031
_Note_: if Magisk is installed on SAR or 2SI device, this tool will fallback to Magisk's `overlay.d`. It will use standard `magisk` context which is not hidden by SELinux policy. In this case, setting `hide_process_bind` is recommended (see `config.prop`).
3132

3233
## Features & Improvements
3334

3435
- Installs entirely into _/boot_, does not modify _/system_ in any way
35-
- Operates in ramdisk without touching storage
36+
- Operates in RAM without touching storage
3637
- Employs a custom daemon to monitor payload execution
3738
- Modifies SELinux policy to hide itself
3839
- Installation and backup no longer depend on _/data_
@@ -41,9 +42,10 @@ _Note_: if Magisk is installed on SAR or 2SI device, this tool will fallback to
4142
- Compatible with Magisk on device
4243

4344
## Limitations
44-
- Not hidden from root (files, mounts, etc.)
45+
46+
- Not always hidden from root (processes, sockets, etc.)
4547
- On some systems _logcat_ may log random service name on boot
46-
- Sockets (if any) are not hidden, though specific process using network is
48+
- Sockets (if any) may not be hidden, though specific process using network is
4749
- Not hidden by SELinux policy if installed with Magisk on SAR / 2SI device
4850

4951
## Prerequisites
@@ -149,30 +151,31 @@ After boot is completed, you should be able to see its output:
149151

150152
```
151153
$ adb logcat | grep revshell
152-
03-18 00:34:41.732 2381 2381 D revshell_exec: Remounting /sbin to avoid mount detection ...
153-
03-18 00:34:41.732 2381 2381 D revshell_exec: Setting up /mnt/secure/temp
154-
03-18 00:34:41.732 2381 2381 D revshell_exec: Awaiting decryption ...
155-
03-18 00:34:41.732 2381 2381 D revshell_exec: Decrypted. Setting persistence dir at /data/adb/.aura
156-
03-18 00:34:46.817 2381 2381 I revshell_exec: restarting ...
157-
03-18 00:34:46.884 3197 3197 D revshell: Start successfull!
158-
03-18 00:34:46.885 3197 3197 D revshell: Signals are set to ignore
159-
03-18 00:34:46.885 3197 3197 D revshell: Hey I'm a revshell process!
160-
03-18 00:34:46.885 3197 3197 D revshell: My PID -- 3197
161-
03-18 00:34:46.885 3197 3197 D revshell: My parent PID -- 2381
162-
03-18 00:34:46.885 3197 3197 D revshell: My UID -- 0
163-
03-18 00:34:46.885 3197 3197 D revshell: Awaiting encrypted FS decryption now...
164-
03-18 00:34:51.241 2381 2381 D revshell_exec: Checking PID
165-
03-18 00:34:51.311 3197 3197 D revshell: FS has been decrypted!
166-
03-18 00:34:51.311 3197 3197 D revshell: Starting reverse shell now
167-
03-18 00:34:56.242 2381 2381 D revshell_exec: Checking PID
168-
03-18 00:34:56.312 3197 3197 D revshell: tick ! 10 seconds since process started
169-
03-18 00:35:01.244 2381 2381 D revshell_exec: Checking PID
170-
03-18 00:35:01.312 3197 3197 D revshell: tick ! 15 seconds since process started
154+
01-21 23:38:35.263 394 394 D revshell_exec: Executor is running
155+
01-21 23:38:35.263 394 394 D revshell_exec: Blocking signals
156+
01-21 23:38:35.263 394 394 D revshell_exec: Hiding init props
157+
01-21 23:38:35.267 394 394 D revshell_exec: memfd path: /proc/self/fd/4
158+
01-21 23:38:35.267 394 394 D revshell_exec: Setting up /mnt/secure/temp
159+
01-21 23:38:35.267 394 394 D revshell_exec: Awaiting decryption ...
160+
01-21 23:38:35.269 394 394 D revshell_exec: Decrypted. Setting persistence dir at /data/adb/.fura
161+
01-21 23:38:40.498 887 887 D revshell: Start successfull!
162+
01-21 23:38:40.498 887 887 D revshell: Signals are set to ignore
163+
01-21 23:38:40.498 887 887 D revshell: Hey I'm a revshell process!
164+
01-21 23:38:40.498 887 887 D revshell: My PID -- 887
165+
01-21 23:38:40.498 887 887 D revshell: My parent PID -- 394
166+
01-21 23:38:40.498 887 887 D revshell: My UID -- 0
167+
01-21 23:38:40.498 887 887 D revshell: Awaiting encrypted FS decryption now...
168+
01-21 23:38:41.444 394 394 D revshell_exec: Starting revshell ...
169+
01-21 23:38:45.502 887 887 D revshell: FS has been decrypted!
170+
01-21 23:38:45.502 887 887 D revshell: Starting reverse shell now
171+
01-21 23:38:46.445 394 394 D revshell_exec: Checking PID
172+
01-21 23:38:50.498 887 887 D revshell: tick ! 10 seconds since process started
173+
01-21 23:38:51.446 394 394 D revshell_exec: Checking PID
171174
```
172175

173176
On boot, temp and persistence directories are created:
174177
- `/mnt/secure/temp` - protected directory in _tmpfs_
175-
- `/data/adb/.fura` - directory to store arbitrary files persistently
178+
- `/data/adb/.fura` - directory to store arbitrary files persistently (set in `config.prop`)
176179

177180
Both directories are protected by SELinux policy, so they might be inaccessible even to root (depends on the stock policy).
178181

0 commit comments

Comments
 (0)