soSaver

A utility for extracting and saving native (.so) libraries from the memory of Android applications using Frida.

Description

soSaver is a tool for dynamic analysis of Android applications, enabling extraction of native libraries (.so files) from running applications' memory. Unlike static file system analysis, soSaver can access libraries that are:

• Encrypted in the APK and decrypted only at runtime
• Dynamically loaded from the internet or other sources
• Unpacked or generated during application execution
• Protected against extraction by standard methods

Features

• Extraction of native libraries from running Android applications
• Interception of library loader calls (dlopen, android_dlopen_ext)
• Periodic memory scanning to detect libraries loaded through non-standard methods
• Fallback mechanism for extracting libraries from the file system
• Informative output and statistics on extracted modules
• Simple CLI interface

Architecture

soSaver consists of two main components:

1. Python application — responsible for:

   • Connecting to Android devices
   • Injecting the Frida script into the target process
   • Processing messages from the Frida agent
   • Saving extracted libraries

2. Frida agent (written in TypeScript/JavaScript) — responsible for:

   • Intercepting library loaders in the application
   • Scanning memory for ELF headers
   • Reading library data from memory
   • Sending data to the Python application

Installation

Requirements

• Python 3.8 or higher
• Android device (physical or emulator) with root access
• Frida server running on the target device
• uv package manager

Installation from Source

git clone https://github.com/TheQmaks/sosaver.git
cd sosaver
uv sync          # Sync dependencies and create virtual environment

After installation, you can activate the virtual environment:

# On Linux/macOS
source .venv/bin/activate

# On Windows
.venv\Scripts\activate

Usage

Basic Usage

# Extract libraries from an application by package name
sosaver com.example.app

# Extract from an application by PID
sosaver 1234

# Save results to a specified directory
sosaver -o /path/to/output com.example.app

# Enable debug mode
sosaver --debug com.example.app

Usage Examples

# Extract libraries from a game
sosaver com.example.game

# Extract with detailed output
sosaver --debug com.unity.game

How It Works

1. soSaver connects to an Android device via Frida
2. Injects a JavaScript agent into the target process
3. The agent performs:
   • Initial scanning of already loaded modules
   • Setting up hooks for library loading functions
   • Periodic memory scanning for new libraries
4. When a library is detected:
   • Reading content from memory in blocks
   • Transferring data via Frida messages to the host application
   • In case of memory read error, attempting to read from the file system
5. The Python application saves the extracted libraries to disk
6. Upon completion, statistics on extracted modules are displayed

Development and Contribution

The project consists of two repositories:

• soSaver — main Python application
• soSaver-frida — TypeScript/JavaScript Frida agent

For information about the Frida agent development, please refer to the soSaver-frida repository.

License

This project is distributed under the MIT license. See the LICENSE file for details.