SoTap Lightweight in-app JNI (.so) behavior logger for Andro...

src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

@@ -171,6 +171,18 @@ When the information is saved in logs you can **check statistics like how many t
 
 ---
 
+### Android in-app native telemetry (no root)
+
+On Android, you can instrument native code inside the target app process by preloading a tiny logger library before other JNI libs initialize. This gives early visibility into native behavior without system-wide hooks or root. A popular approach is SoTap: drop libsotap.so for the right ABI into the APK and inject a System.loadLibrary("sotap") call early (e.g., static initializer or Application.onCreate), then collect logs from internal/external paths or Logcat fallback.
+
+See the Android native reversing page for setup details and log paths:
+
+{{#ref}}
+../../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md
+{{#endref}}
+
+---
+
 ## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)
 
 Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a `jmp rax` or `call rax`.  A small *dispatcher* (typically nine instructions) sets the final target depending on the CPU `ZF`/`CF` flags, completely breaking static CFG recovery.
@@ -262,5 +274,6 @@ idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+
 ## References
 
 - [Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques](https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/)
+- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
 
 {{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md

@@ -63,6 +63,42 @@ Java.perform(function () {
 ```
 Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks.  
 
+### Process-local JNI telemetry via preloaded .so (SoTap)
+
+When full-featured instrumentation is overkill or blocked, you can still gain native-level visibility by preloading a small logger inside the target process. SoTap is a lightweight Android native (.so) library that logs the runtime behavior of other JNI (.so) libraries within the same app process (no root required).
+
+Key properties:
+- Initializes early and observes JNI/native interactions inside the process that loads it.
+- Persists logs using multiple writable paths with graceful fallback to Logcat when storage is restricted.
+- Source-customizable: edit sotap.c to extend/adjust what gets logged and rebuild per ABI.
+
+Setup (repack the APK):
+1) Drop the proper ABI build into the APK so the loader can resolve libsotap.so:
+   - lib/arm64-v8a/libsotap.so (for arm64)
+   - lib/armeabi-v7a/libsotap.so (for arm32)
+2) Ensure SoTap loads before other JNI libs. Inject a call early (e.g., Application subclass static initializer or onCreate) so the logger is initialized first. Smali snippet example:
+   ```smali
+   const-string v0, "sotap"
+   invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
+   ```
+3) Rebuild/sign/install, run the app, then collect logs.
+
+Log paths (checked in order):
+```
+/data/user/0/%s/files/sotap.log
+/data/data/%s/files/sotap.log
+/sdcard/Android/data/%s/files/sotap.log
+/sdcard/Download/sotap-%s.log
+# If all fail: fallback to Logcat only
+```
+
+Notes and troubleshooting:
+- ABI alignment is mandatory. A mismatch will raise UnsatisfiedLinkError and the logger won’t load.
+- Storage constraints are common on modern Android; if file writes fail, SoTap will still emit via Logcat.
+- Behavior/verbosity is intended to be customized; rebuild from source after editing sotap.c.
+
+This approach is useful for malware triage and JNI debugging where observing native call flows from process start is critical but root/system-wide hooks aren’t available.
+
 ---
 
 ### Recent vulnerabilities worth hunting for in APKs
@@ -93,6 +129,9 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their
 ### References
 
 - Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/)  
-- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) 
+- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863)
+- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
+- SoTap Releases – [github.com/RezaArbabBot/SoTap/releases](https://github.com/RezaArbabBot/SoTap/releases)
+- How to work with SoTap? – [t.me/ForYouTillEnd/13](https://t.me/ForYouTillEnd/13)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/smali-changes.md

@@ -1,4 +1,4 @@
-# Smali - Decompiling/\[Modifying]/Compiling
+# Smali - Decompiling/[Modifying]/Compiling
 
 {{#include ../../banners/hacktricks-training.md}}
 
@@ -25,7 +25,7 @@ If **apktool** gives you any error, try[ installing the **latest version**](http
 
 Some **interesting files you should look are**:
 
-- _res/values/strings.xml_ (and all xmls inside res/values/\*)
+- _res/values/strings.xml_ (and all xmls inside res/values/*)
 - _AndroidManifest.xml_
 - Any file with extension _.sqlite_ or _.db_
 
@@ -162,7 +162,7 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin
 
 Recommendations:
 
-- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local \<number>_ and the declarations of the variables (_const v0, 0x1_)
+- If you are going to use declared variables inside the function (declared v0,v1,v2...) put these lines between the _.local <number>_ and the declarations of the variables (_const v0, 0x1_)
 - If you want to put the logging code in the middle of the code of a function:
   - Add 2 to the number of declared variables: Ex: from _.locals 10_ to _.locals 12_
   - The new variables should be the next numbers of the already declared variables (in this example should be _v10_ and _v11_, remember that it starts in v0).
@@ -186,8 +186,42 @@ move-result-object v12
 invoke-virtual {v12}, Landroid/widget/Toast;->show()V
 ```
 
+### Loading a Native Library at Startup (System.loadLibrary)
 
-{{#include ../../banners/hacktricks-training.md}}
+Sometimes you need to preload a native library so it initializes before other JNI libs (e.g., to enable process-local telemetry/logging). You can inject a call to System.loadLibrary() in a static initializer or early in Application.onCreate(). Example smali for a static class initializer (<clinit>):
+
+```smali
+.class public Lcom/example/App;
+.super Landroid/app/Application;
+
+.method static constructor <clinit>()V
+    .registers 1
+    const-string v0, "sotap"         # library name without lib...so prefix
+    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
+    return-void
+.end method
+```
+
+Alternatively, place the same two instructions at the start of your Application.onCreate() to ensure the library loads as early as possible:
+
+```smali
+.method public onCreate()V
+    .locals 1
+
+    const-string v0, "sotap"
+    invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V
+
+    invoke-super {p0}, Landroid/app/Application;->onCreate()V
+    return-void
+.end method
+```
+
+Notes:
+- Make sure the correct ABI variant of the library exists under lib/<abi>/ (e.g., arm64-v8a/armeabi-v7a) to avoid UnsatisfiedLinkError.
+- Loading very early (class static initializer) guarantees the native logger can observe subsequent JNI activity.
 
+## References
 
+- SoTap: Lightweight in-app JNI (.so) behavior logger – [github.com/RezaArbabBot/SoTap](https://github.com/RezaArbabBot/SoTap)
 
+{{#include ../../banners/hacktricks-training.md}}