You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.MD
+27-24Lines changed: 27 additions & 24 deletions
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@ Since it's operating within ramdisk, this tool can bypass most root checks, inte
11
11
Unlike its predecessor, this rootkit can bypass SafetyNet, since it doesn't need to modify system partition. \
12
12
However, it can't bypass hardware checks, such as hardware-backed SafetyNet on newer devices.
13
13
14
-
The daemon launches arbitrary executable in loop, while providing cover and execution control.
14
+
The daemon launches arbitrary executable from RAM, while providing cleanup, cover, and execution control.
15
15
It runs silently and normally leaves no traces in _dmesg_, _logcat_, etc., unlike regular services run by _init_ in loop.
16
16
17
17
FURA uses SELinux to its own advantage: not only to bypass stock policy restrictions, but to hide itself from the rest of the system.
@@ -26,13 +26,14 @@ OS | Android | Boot scheme
26
26
MIUI 11.0.2 | 7 | rootfs
27
27
LineageOS 17.1 | 10 | 2SI
28
28
LineageOS 19.0 | 12 | 2SI
29
+
MIUI 14.0.2 | 12 | 2SI
29
30
30
31
_Note_: if Magisk is installed on SAR or 2SI device, this tool will fallback to Magisk's `overlay.d`. It will use standard `magisk` context which is not hidden by SELinux policy. In this case, setting `hide_process_bind` is recommended (see `config.prop`).
31
32
32
33
## Features & Improvements
33
34
34
35
- Installs entirely into _/boot_, does not modify _/system_ in any way
35
-
- Operates in ramdisk without touching storage
36
+
- Operates in RAM without touching storage
36
37
- Employs a custom daemon to monitor payload execution
37
38
- Modifies SELinux policy to hide itself
38
39
- Installation and backup no longer depend on _/data_
@@ -41,9 +42,10 @@ _Note_: if Magisk is installed on SAR or 2SI device, this tool will fallback to
41
42
- Compatible with Magisk on device
42
43
43
44
## Limitations
44
-
- Not hidden from root (files, mounts, etc.)
45
+
46
+
- Not always hidden from root (processes, sockets, etc.)
45
47
- On some systems _logcat_ may log random service name on boot
46
-
- Sockets (if any) are not hidden, though specific process using network is
48
+
- Sockets (if any) may not be hidden, though specific process using network is
47
49
- Not hidden by SELinux policy if installed with Magisk on SAR / 2SI device
48
50
49
51
## Prerequisites
@@ -149,30 +151,31 @@ After boot is completed, you should be able to see its output:
149
151
150
152
```
151
153
$ adb logcat | grep revshell
152
-
03-18 00:34:41.732 2381 2381 D revshell_exec: Remounting /sbin to avoid mount detection ...
153
-
03-18 00:34:41.732 2381 2381 D revshell_exec: Setting up /mnt/secure/temp
154
-
03-18 00:34:41.732 2381 2381 D revshell_exec: Awaiting decryption ...
155
-
03-18 00:34:41.732 2381 2381 D revshell_exec: Decrypted. Setting persistence dir at /data/adb/.aura
156
-
03-18 00:34:46.817 2381 2381 I revshell_exec: restarting ...
157
-
03-18 00:34:46.884 3197 3197 D revshell: Start successfull!
158
-
03-18 00:34:46.885 3197 3197 D revshell: Signals are set to ignore
159
-
03-18 00:34:46.885 3197 3197 D revshell: Hey I'm a revshell process!
160
-
03-18 00:34:46.885 3197 3197 D revshell: My PID -- 3197
161
-
03-18 00:34:46.885 3197 3197 D revshell: My parent PID -- 2381
162
-
03-18 00:34:46.885 3197 3197 D revshell: My UID -- 0
0 commit comments