[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81920":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":11,"openIssues":13,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":13,"stars7d":13,"stars30d":13,"stars90d":13,"forks30d":13,"starsTrendScore":13,"compositeScore":14,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":15,"fork":15,"defaultBranch":16,"hasWiki":17,"hasPages":15,"topics":18,"createdAt":9,"pushedAt":9,"updatedAt":19,"readmeContent":20,"aiSummary":21,"trendingCount":13,"starSnapshotCount":13,"syncStatus":22,"lastSyncTime":23,"discoverSource":24},81920,"dexhound","dPhoeniixx\u002Fdexhound","dPhoeniixx","Dump DEX files from a running Android process without instrumentation",null,"C",28,3,0,1.81,false,"main",true,[],"2026-06-12 02:04:21","# dexhound\n\n\u003Cp align=\"center\">\n  \u003Cimg src=\"mascot.jpg\" alt=\"dexhound mascot\" width=\"420\">\n\u003C\u002Fp>\n\nDump DEX files out of a running Android process — no instrumentation, no injection, no hooks.\n\n## Why\n\nOn a rooted device with Magisk + DenyList, most RASP-protected apps run fine. But some still detect instrumentation tools like **Frida**, which makes the usual \"attach and dump classloaders\" approach fail.\n\n`dexhound` doesn't attach to the process. It just reads memory through `\u002Fproc\u002F\u003Cpid>\u002Fmem` and carves out anything that looks like a DEX. The target app sees nothing.\n\n## How it works\n\n1. Resolve the target (PID or package name via `\u002Fproc\u002F*\u002Fcmdline`).\n2. Walk `\u002Fproc\u002F\u003Cpid>\u002Fmaps`, skip system\u002Fframework\u002Fother-app regions.\n3. Read each readable region from `\u002Fproc\u002F\u003Cpid>\u002Fmem`.\n4. Scan for the DEX magic (`dex\\n0XX\\0`), validate header size + endian tag + file size.\n5. Verify Adler-32; tag the dump `OK` or `MISMATCH`.\n6. Write each hit to `\u003Coutdir>\u002Fdump_\u003Caddr>_\u003Ctag>.dex`.\n\n## Build\n\nCross-compile from any host using the Android NDK. Point `NDK` at your install (Android Studio puts it under `~\u002FLibrary\u002FAndroid\u002Fsdk\u002Fndk\u002F\u003Cversion>` on macOS) and run:\n\n```sh\nTC=$NDK\u002Ftoolchains\u002Fllvm\u002Fprebuilt\u002Fdarwin-x86_64\u002Fbin   # or linux-x86_64\nmkdir -p build\n$TC\u002Faarch64-linux-android30-clang   dexhound.c -O2 -s -o build\u002Fdexhound-arm64-v8a\n$TC\u002Farmv7a-linux-androideabi30-clang dexhound.c -O2 -s -o build\u002Fdexhound-armeabi-v7a\n$TC\u002Fx86_64-linux-android30-clang    dexhound.c -O2 -s -o build\u002Fdexhound-x86_64\n$TC\u002Fi686-linux-android30-clang      dexhound.c -O2 -s -o build\u002Fdexhound-x86\n```\n\nPush the matching binary to the device and run it as root.\n\n## Usage\n\n```\n.\u002Fdexhound \u003Cpid|package> \u003Coutdir>\n```\n\nExamples:\n\n```\n.\u002Fdexhound com.example.app \u002Fdata\u002Flocal\u002Ftmp\u002Fout\n.\u002Fdexhound 12345         \u002Fdata\u002Flocal\u002Ftmp\u002Fout\n```\n\n### Running against a RASP-protected app\n\nIf the target app uses RASP and refuses to launch on a rooted device, the cleanest setup is:\n\n1. Install **Magisk** and enable **Zygisk**.\n2. Open Magisk → **Configure DenyList** → tick the target package.\n3. Launch the app — it sees a \"clean\" environment and runs normally.\n4. While it's running, dump it from another shell:\n\n   ```\n   su -c '\u002Fdata\u002Flocal\u002Ftmp\u002Fdexhound com.example.app \u002Fdata\u002Flocal\u002Ftmp\u002Fout'\n   ```\n\nBecause dexhound never attaches, injects, or loads anything into the target, RASP checks (Frida detection, ptrace probes, hook scans, etc.) don't fire — DenyList alone is enough to get past the boot-time root check.\n\n## Requirements\n\n- Rooted Android device (needs read access to `\u002Fproc\u002F\u003Cpid>\u002Fmem`).\n- Target process already running.\n- Any Android ABI — `arm64-v8a`, `armeabi-v7a`, `x86_64`, `x86`.\n","dexhound 是一个可以从正在运行的 Android 进程中提取 DEX 文件的工具，无需进行任何注入或挂钩。其核心功能在于通过直接读取 `\u002Fproc\u002F\u003Cpid>\u002Fmem` 来查找并验证内存中的 DEX 文件，避免了传统方法可能触发的应用保护机制（如 RASP）。该工具特别适用于需要绕过反调试检测的场景，例如在分析某些对环境敏感的应用程序时。使用 C 语言编写，支持多种 Android 架构，并要求设备具有 root 权限以访问目标进程的内存空间。",2,"2026-06-11 04:07:12","CREATED_QUERY"]