vrr/vpnhide
2
0
Fork 0
mirror of https://github.com/okhsunrog/vpnhide.git synced 2026-05-05 01:55:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
vpnhide/README.md
okhsunrog 12daca5c1a monorepo: combine vpnhide-zygisk, vpnhide (lsposed), and vpnhide-kmod 
Unified repository for the complete Android VPN-hiding stack:
- zygisk/ — Rust Zygisk module (inline libc hooks via shadowhook)
- lsposed/ — Kotlin LSPosed module (Java API + system_server hooks)
- kmod/ — C kernel module (kretprobe hooks, invisible to anti-tamper)

CI workflows use path filters to build only the changed component.
2026-04-11 15:01:49 +03:00

2.9 KiB
Raw Blame History

vpnhide

Hide an active Android VPN connection from selected apps. Three components work together to cover all detection vectors — from Java APIs down to kernel syscalls.

Components

Directory What How
zygisk/ Zygisk module (Rust) Inline-hooks libc.so via shadowhook: ioctl, getifaddrs, openat (/proc/net/*), recvmsg (netlink). Catches every caller regardless of load order — including Flutter/Dart and late-loaded native libs.
lsposed/ LSPosed/Xposed module (Kotlin) Hooks Java network APIs in app processes (NetworkCapabilities, NetworkInterface, LinkProperties, etc.) and writeToParcel in system_server for cross-process Binder filtering.
kmod/ Kernel module (C) kretprobe hooks on dev_ioctl, rtnl_fill_ifinfo, fib_route_seq_show. Invisible to any userspace anti-tamper SDK — including MIR HCE (Russian banking NFC payments).

Which modules do I need?

  • Most apps (Шоколадница, Flutter apps, simple VPN checks): zygisk alone is enough.
  • Apps using Java network APIs (connectivity checks via NetworkCapabilities): add lsposed.
  • Banking apps with MIR SDK (Alfa-Bank, T-Bank, Yandex Bank): use kmod + lsposed. These apps detect userspace hooks via raw svc #0 syscalls and ELF integrity checks — only kernel-level filtering is invisible to them.

Configuration

All three modules share a target list. Use the WebUI (KernelSU/Magisk manager → module settings) to select which apps should not see the VPN. The WebUI writes to:

  • targets.txt — package names (read by zygisk and lsposed)
  • /proc/vpnhide_targets — resolved UIDs (read by kmod)
  • /data/system/vpnhide_uids.txt — resolved UIDs (read by lsposed system_server hooks)

Building

Each component has its own build system:

  • zygisk: cd zygisk && ./build-zip.sh (requires Rust + Android NDK + cargo-ndk)
  • lsposed: cd lsposed && ./gradlew assembleDebug (requires JDK 17)
  • kmod: cd kmod && ./build-zip.sh (requires kernel source + clang cross-compiler). See kmod/BUILDING.md for details.

Verified against

  • RKNHardering — all detection vectors clean
  • YourVPNDead — all detection vectors clean
  • Both implement the official Russian Ministry of Digital Development VPN/proxy detection methodology.

Split tunneling

Works correctly with split-tunnel VPN configurations. Only the apps in the target list are affected — all other apps see normal VPN state.

Known limitations

  • kmod requires a GKI kernel with CONFIG_KPROBES=y (standard on Pixel 69a with android14-6.1)
  • lsposed requires LSPosed or a compatible Xposed framework
  • MIR SDK's custom VM bytecode engine could theoretically be updated to detect kernel-level filtering, but this hasn't been observed in practice