根据论坛上的方法，一直注入不成功，求解答，
inject.c
      int main(int argc, char** argv){
        pid_t target_pid= find_pid_of("/system/bin/servicemanager");
        //int success = inject_remote_process(target_pid, "/dev/libhello.so", "hook_entry","this is a msg", strlen("this is a msg"));
       int success = inject_remote_process(target_pid,"/dev/libtestso.so","_init","this is a msg", strlen("this is a msg"));
   if(success != 0){
           LOGD("inject_remote_process failed");
   }else{
           LOGD("inject success");
   }
   return success;
}

libtest.so
      

     #include <stdio.h>
#include <unistd.h>
#include<android/log.h>

#define LOGTAG "injectso"
#define LOGW(a)  __android_log_write(ANDROID_LOG_ERROR,LOGTAG,a);

void _init(char *args) __attribute__((constructor));
void _init(char *args){
        LOGW("hey i am running");
}

mk代码：
   LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)

LOCAL_SRC_FILES:= \
        inject.c \
        shellcode.s
LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog
LOCAL_MODULE:=inject

LOCAL_STATIC_LIBRARIES := libc

LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES)
LOCAL_MODULE_TAGS := debug

include $(BUILD_EXECUTABLE)

shellcode.s
.global _dlopen_addr_s
.global _dlopen_param1_s
.global _dlopen_param2_s

.global _dlsym_addr_s
.global _dlsym_param2_s

.global _dlclose_addr_s

.global _inject_start_s
.global _inject_end_s

.global _inject_function_param_s

.global _saved_cpsr_s
.global _saved_r0_pc_s

.data

_inject_start_s:
        @ debug loop
3:
        @sub r1, r1, #0
        @B 3b

        @ dlopen
        ldr r1, _dlopen_param2_s
        ldr r0, _dlopen_param1_s
        ldr r3, _dlopen_addr_s
        blx r3
        subs r4, r0, #0
        beq        2f

        @dlsym
        ldr r1, _dlsym_param2_s
        ldr r3, _dlsym_addr_s
        blx r3
        subs r3, r0, #0
        beq 1f

        @call our function
        ldr r0, _inject_function_param_s
        blx r3
        subs r0, r0, #0
        beq 2f

1:
        @dlclose
        mov r0, r4
        ldr r3, _dlclose_addr_s
        blx r3

2:
        @restore context
        ldr r1, _saved_cpsr_s
        msr cpsr_cf, r1
        ldr sp, _saved_r0_pc_s
        ldmfd sp, {r0-pc}

_dlopen_addr_s:
.word 0x11111111

_dlopen_param1_s:
.word 0x11111111

_dlopen_param2_s:
.word 0x2

_dlsym_addr_s:
.word 0x11111111

_dlsym_param2_s:
.word 0x11111111

_dlclose_addr_s:
.word 0x11111111

_inject_function_param_s:
.word 0x11111111

_saved_cpsr_s:
.word 0x11111111

_saved_r0_pc_s:
.word 0x11111111

_inject_end_s:

.space 0x400, 0

.end

apk中调用
   Runtime.getRuntime().exec("su -c /dev/inject");

     
    在dev下的inject和libtestso都是777的权限

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)