Support hierarchical zygote startup via stub processes#100
Merged
JingMatrix merged 4 commits intomasterfrom Feb 21, 2026
Merged
Support hierarchical zygote startup via stub processes#100JingMatrix merged 4 commits intomasterfrom
JingMatrix merged 4 commits intomasterfrom
Conversation
The ptrace monitoring logic has been re-architected to support a new Android startup chain where zygote is not a direct child of the init process. On some devices, the boot sequence is `init -> stub_zygote -> zygote`, which the previous flat monitoring model could not handle. This change transitions the system from monitoring only direct children of init to a hierarchical model capable of recursively tracing a designated chain of processes. Key changes include: 1. Generalized Parent Handling: The logic specific to the `init` process has been refactored into a generic `handleParentEvent`. This function now handles fork events from any designated parent, including `init` or an intermediate stub process. 2. Stub Process Promotion: When a traced child process executes a known `stub_zygote` binary, it is not detached. Instead, it is "promoted" to a new parent role. Its ptrace options are upgraded to trace forks, and its PID is added to a new `stub_processes_` set for tracking. 3. Hierarchical Dispatch: The central `handleChildEvent` dispatcher now prioritizes routing events for PIDs in the `stub_processes_` set to the parent handler, allowing the monitor to discover and attach to grandchildren (the real zygote). This new architecture is more resilient to platform variations in the boot process without sacrificing the precision of the injection mechanism.
1 task
ale5000-git
reviewed
Feb 21, 2026
loader/src/ptracer/monitor_impl.cpp
Outdated
Comment on lines
+414
to
+415
| ptrace(PTRACE_CONT, pid, 0, 0); | ||
| return; |
There was a problem hiding this comment.
Without these 2 lines it will be the same since the same command is done here: https://github.com/JingMatrix/NeoZygisk/pull/100/changes#diff-41f9665792a03918c8f10506cc51923cde1b492513170999db1d87e565f6a614R429
The process might be not ready if it not discovered via waitpid but observed from PTRACE_EVENT_FORK.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The ptrace monitoring logic has been re-architected to support a new Android startup chain where zygote is not a direct child of the init process. On some devices, the boot sequence is
init -> stub_zygote -> zygote, which the previous flat monitoring model could not handle.This change transitions the system from monitoring only direct children of init to a hierarchical model capable of recursively tracing a designated chain of processes.
Key changes include:
Generalized Parent Handling: The logic specific to the
initprocess has been refactored into a generichandleParentEvent. This function now handles fork events from any designated parent, includinginitor an intermediate stub process.Stub Process Promotion: When a traced child process executes a known
stub_zygotebinary, it is not detached. Instead, it is "promoted" to a new parent role. Its ptrace options are upgraded to trace forks, and its PID is added to a newstub_processes_set for tracking.Hierarchical Dispatch: The central
handleChildEventdispatcher now prioritizes routing events for PIDs in thestub_processes_set to the parent handler, allowing the monitor to discover and attach to grandchildren (the real zygote).This new architecture is more resilient to platform variations in the boot process without sacrificing the precision of the injection mechanism.