- Add Google's AOSP clang (clang-r487747c, same as Pixel kernel build)
to the CI Docker image via sparse checkout. Distro clang caused ABI
mismatches leading to bootloops on device.
- Update kmod workflow to use the Docker image + AOSP clang instead of
system clang from apt.
- Replace symvers with real vmlinux.symvers from Pixel kernel build
(8050 symbols vs 4060 from device .ko extraction).
- Add kmod build deps (bc, kmod, cpio, binutils-aarch64) to Docker image.
Add service.sh to zygisk module that resolves package names → UIDs
and writes /data/system/vpnhide_uids.txt on boot — same contract as
kmod's service.sh. This enables the lsposed system_server hooks to
work with zygisk (previously they only worked with kmod).
Also update the zygisk WebUI to resolve and write UIDs on save,
so changes apply immediately without reboot.
Remove all in-process app hooks (NetworkCapabilities, NetworkInfo,
ConnectivityManager, LinkProperties, NetworkInterface, System.getProperty).
These are redundant: system_server writeToParcel hooks cover all Java
API detection paths without touching the app's process, and native
detection is handled by vpnhide-kmod or vpnhide-zygisk.
In-process hooks were also counterproductive for anti-tamper SDK apps —
they modify the app's memory, which is exactly what those SDKs detect.
The module now only needs "System Framework" in LSPosed scope.
~600 lines removed.
The hookProcNetFiles() hook redirected FileInputStream/FileReader for
/proc/net/* paths to /dev/null inside the app process. This is
counterproductive: SELinux already blocks untrusted_app from reading
these files (EACCES), and the redirect changes the behavior from
"access denied" to "access succeeds, empty data" — a detectable
anomaly that anti-tamper SDKs could notice.
Also fix Java /proc/net/route check in test app to treat EACCES as
PASS, consistent with the native checks.
Add 9 new native checks covering all known VPN detection vectors:
netlink RTM_GETROUTE, /proc/net/ipv6_route, /proc/net/tcp{,6},
/proc/net/udp{,6}, /proc/net/dev, /proc/net/fib_trie, /sys/class/net.
Result: all new paths are blocked by SELinux for untrusted apps.
No additional kernel hooks needed — our 6 kretprobes already cover
every reachable detection vector. 23/23 checks pass.
Kernel module:
- Add dev_ifconf hook to filter SIOCGIFCONF interface enumeration
(goes through sock_ioctl -> dev_ifconf, not dev_ioctl)
- Add inet6_fill_ifaddr and inet_fill_ifaddr hooks to filter RTM_GETADDR
netlink responses. getifaddrs() was leaking tun0 via the address dump
even though RTM_GETLINK was filtered. Uses skb_trim to undo the fill
and return 0 (not -EMSGSIZE which causes infinite retry on empty skb).
- All 6 kretprobes now cover: ioctl, SIOCGIFCONF, netlink link dumps,
netlink address dumps (IPv4+IPv6), and /proc/net/route.
Test app:
- Treat SELinux EACCES/EPERM as PASS — if the app can't access the
resource, it can't detect VPN through it either.
- Test results: 14/14 passed with VPN active.
Build system:
- Replace hardcoded paths in Makefile with env vars (KERNEL_SRC, CLANG_DIR)
- Add .env.example and .envrc for direnv-based config
- Simplify build-zip.sh to delegate to make instead of duplicating build command
- Rewrite BUILDING.md: 5-step happy path with direnv, standalone prep as appendix
- Remove redundant quick-reference script and step 7 (manual module.lds hack)
Kernel module (vpnhide_kmod.c):
- Fix fib_route_seq_show hook: save seq_file pointer and buffer position in entry
handler instead of reading regs->regs[0] in return handler (which holds the
return value on arm64, not the original argument). Rewrite buffer scanning as
clean forward iteration with memmove compaction.
- Remove dead SIOCGIFCONF case from dev_ioctl hook (confirmed in kernel source:
SIOCGIFCONF goes through sock_ioctl -> dev_ifconf, not dev_ioctl on GKI 6.1)
- Fix header comment: remove false tcp4_seq_show claim, correct rtnl symbol name
Test app:
- Auto-run checks on launch (LaunchedEffect) for easier adb-driven testing
Root README is now the single source for shared content (verified
against, split tunneling, threat model, component overview). Sub-READMEs
focus on component-specific technical details and link back to root.
- Remove ~700 lines of duplicated content across sub-READMEs
- Update all cross-references to use monorepo relative paths
- Add test-app to components table
- Update zygisk README: mark openat/recvmsg/SIOCGIFCONF as implemented
- Fix stale links to archived repos
- Remove specific commercial app/bank names from all READMEs, comments,
and log messages to avoid legal issues. Open-source detection tools
(RKNHardering, YourVPNDead) are kept with links.
- Rewrite test-app in Jetpack Compose with Material3 dynamic colors,
edge-to-edge, system dark/light theme support.
- Make test UI more verbose with detailed result cards.
- Add full logcat output for all checks (tag: VPNHideTest) for
automated testing by AI agents.
- Fix 16KB page alignment for Android 15+.
Unified repository for the complete Android VPN-hiding stack:
- zygisk/ — Rust Zygisk module (inline libc hooks via shadowhook)
- lsposed/ — Kotlin LSPosed module (Java API + system_server hooks)
- kmod/ — C kernel module (kretprobe hooks, invisible to anti-tamper)
CI workflows use path filters to build only the changed component.
