root 检测、Xposed 检测、Cydia 检测
2018-09-06 本文已影响405人
that_is_this
1. root 检测
public class Root_check {
private static String LOG_TAG = "Wooo";
public static void checkRoot() {
try {
/* 源码 adb.c 内
int adb_main(int is_daemon)
{
......
property_get("ro.secure", value, "");
if (strcmp(value, "1") == 0) {
// don't run as root if ro.secure is set...
secure = 1;
......
}
if (secure) {
......
*/
Object obj = utils.invokeStaticMethod("android.os.SystemProperties", "get", new Class[]{String.class}, new Object[]{"ro.secure"}); // ro.secure service.adb.root
Log.i("Wooo", "checkRoot -> " + obj);
if (obj != null) {
if (obj.equals("1")) {
Log.i("Wooo", "checkRoot may not root");
}
if (obj.equals("0")) {
Log.i("Wooo", "checkRoot mast rooted");
}
}
checkRelease();
checkSUfile();
// checkRootWhichSU(); // 执行 which su
} catch (Exception e) {
e.printStackTrace();
}
}
private static void checkRelease() {
String buildTags = Build.TAGS;
Log.i("Wooo", "cheeckRelease tag is : " + buildTags);
if (buildTags != null && buildTags.contains("test-keys")) {
Log.i("Wooo", "cheeckRelease -> debug");
}
if (buildTags != null && buildTags.contains("release-keys")) {
Log.i("Wooo", "cheeckRelease -> release");
}
}
private static void checkSUfile() {
// "/sbin/su", "/system/bin/su", "/system/xbin/su", "/data/local/xbin/su", "/data/local/bin/su", "/system/sd/xbin/su", "/system/bin/failsafe/su", "/data/local/su"
String file[] = {"/system/bin/", "/system/xbin/", "/system/sbin/", "/sbin/", "/vendor/bin/", "/su/bin/"};
for (int i = 0; i < file.length; i++) {
String sNm = file[i] + "su";
File f = new File(sNm);
if (f.exists()) {
Log.i("Wooo", "checkRoot " + sNm + " file exists");
} else {
Log.i("Wooo", "checkRoot " + sNm + " file no exists");
}
}
}
public static boolean checkRootWhichSU() {
String[] strCmd = new String[] {"/system/xbin/which","su"};
ArrayList<String> execResult = executeCommand(strCmd);
if (execResult != null){
Log.i("Wooo","execResult="+execResult.toString());
return true;
}else{
Log.i("Wooo","execResult=null");
return false;
}
}
private static ArrayList<String> executeCommand(String[] shellCmd){ // 执行 linux 的 shell 命令
String line = null;
ArrayList<String> fullResponse = new ArrayList<String>();
Process localProcess = null;
try {
Log.i(LOG_TAG,"to shell exec which for find su :");
localProcess = Runtime.getRuntime().exec(shellCmd);
} catch (Exception e) {
return null;
}
BufferedWriter out = new BufferedWriter(new OutputStreamWriter(localProcess.getOutputStream()));
BufferedReader in = new BufferedReader(new InputStreamReader(localProcess.getInputStream()));
try {
while ((line = in.readLine()) != null) {
Log.i(LOG_TAG,"–> Line received: " + line);
fullResponse.add(line);
}
} catch (Exception e) {
e.printStackTrace();
}
Log.i(LOG_TAG,"–> Full response was: " + fullResponse);
return fullResponse;
}
}
2. Xposed 检测
public class Xposed_check {
private static String TAG = "Wooo Xposed";
private static StringBuffer sb = new StringBuffer();
// https://blog.csdn.net/jiangwei0910410003/article/details/80037971
// https://www.52pojie.cn/thread-691584-1-1.html
// https://tech.meituan.com/android_anti_hooking.html
// https://segmentfault.com/a/1190000009976827
public static void checkXposed(Context ctx) {
checkCache();
checkJarClass();
checkJarFile();
disableHooks();
checkMaps();
checkPackage(ctx);
checkException();
}
private static void checkPackage(Context ctx) {
PackageManager packageManager = ctx.getPackageManager();
List<ApplicationInfo> applicationInfoList = packageManager.getInstalledApplications(PackageManager.GET_META_DATA);
for (ApplicationInfo applicationInfo : applicationInfoList) {
if (applicationInfo.packageName.equals("de.robv.android.xposed.installer")) {
Log.i(TAG, "found xposed package installed");
}
}
}
private static void checkException() {
try {
throw new Exception("xppp");
} catch (Exception e) {
for (StackTraceElement stackTraceElement : e.getStackTrace()) {
if (stackTraceElement.getClassName().equals("de.robv.android.xposed.XposedBridge")) { // stackTraceElement.getMethodName()
Log.i(TAG, "found exception of xposed");
}
}
}
}
/*
bool is_xposed()
{
bool rel = false;
FILE *fp = NULL;
char* filepath = "/proc/self/maps";
...
string xp_name = "XposedBridge.jar";
fp = fopen(filepath,"r"))
while (!feof(fp))
{
fgets(strLine,BUFFER_SIZE,fp);
origin_str = strLine;
str = trim(origin_str);
if (contain(str,xp_name))
{
rel = true; //检测到Xposed模块
break;
}
}
...
}
*/
private static void checkMaps() {
String jarName = "XposedBridge.jar";
try {
BufferedReader bufferedReader = new BufferedReader(new FileReader("/proc/" + Process.myPid() + "/maps"));
while (true) {
String str = bufferedReader.readLine();
if (str == null) {
break;
}
if (str.endsWith("jar")) {
if (str.contains(jarName)) {
Log.i(TAG, "proc/pid/maps find Xposed.jar -> " + str);
}
}
// if (str.contains("hack|inject|hook|call")) { // 检测 maps 内的关键字
//
// }
}
} catch (Exception e) {
e.printStackTrace();
}
}
private static void checkCache() {
ClassLoader cl = ClassLoader.getSystemClassLoader();
String xpHelper = "de.robv.android.xposed.XposedHelpers";
Log.i(TAG, "checkCache IN");
try {
Object XPHelpers = cl.loadClass(xpHelper).newInstance(); // 在 nexus6 的 7.1 系统上获取失败,抛出异常
if (XPHelpers != null) {
filterField(XPHelpers, "fieldCache");
filterField(XPHelpers, "methodCache");
filterField(XPHelpers, "constructorCache");
} else {
Log.i(TAG, "cannot find Xposed framework");
}
Log.i(TAG, "cache content -> " + sb.length() + " -> " + sb);
} catch (Exception e) {
e.printStackTrace();
}
}
private static void filterField(Object xpHelper, String cacheName) {
try {
Field f = xpHelper.getClass().getDeclaredField(cacheName);
f.setAccessible(true);
HashMap caMap = (HashMap)f.get(xpHelper);
if (caMap == null) {
return;
}
Set caSet = caMap.keySet();
if (caSet.isEmpty()) {
return;
}
Log.i(TAG, "filter -> " + cacheName + " , size -> " + caSet.size());
Iterator iterator = caSet.iterator();
while (iterator.hasNext()) {
String key = (String) iterator.next();
Log.i(TAG, "filter key -> " + key);
if (key == null) {
continue;
}
key = key.toLowerCase();
if (key.length() <= 0) {
continue;
}
if (key.startsWith("android.support")) {
continue;
}
if (key.startsWith("javax.")) {
continue;
}
if (key.startsWith("android.webkit")) {
continue;
}
if (key.startsWith("java.util")) {
continue;
}
if (key.startsWith("android.widget")) {
continue;
}
if (key.startsWith("sun.")) {
continue;
}
sb.append(key);
}
} catch (Exception e) {
e.printStackTrace();
}
}
private static void checkJarFile() {
File f = new File("/system/framework/XposedBridge.jar");
if (f.exists()) {
Log.i(TAG, "system may installed Xposed find jar file");
} else {
Log.i(TAG, "system not install Xposed cannot find jar file");
}
}
private static void checkJarClass() {
try {
ClassLoader cl = ClassLoader.getSystemClassLoader();
Class clazz = cl.loadClass("de.robv.android.xposed.XposedBridge");
if (clazz != null) {
Log.i(TAG, "system installed Xposed Class");
} else {
Log.i(TAG, "system not install Xposed Class");
}
} catch (Exception e) {
e.printStackTrace();
}
}
// disable
private static void disableHooks() {
Object obj2 = utils.getStaticFieldOjbectCL("de.robv.android.xposed.XposedBridge", "disableHooks");
Log.i(TAG, "disableHooks seted -> " + obj2);
Log.i(TAG, "disableHooks seted ");
utils.setStaticOjbectCL("de.robv.android.xposed.XposedBridge", "disableHooks", true);
Object obj = utils.getStaticFieldOjbectCL("de.robv.android.xposed.XposedBridge", "disableHooks");
Log.i(TAG, "disableHooks seted -> " + obj);
}
}
3. Cydia 检测
public class Cydia_check {
private static String TAG = "Wooo Cydia";
public static void checkCydia() {
checkMaps();
}
/* 当检测到有对应的 so 文件后,然后根据路径去获取对应的函数地址,如果能获取,说明被加载。有 9 个导出函数。
void* dlopen = lookup_symbol("/data/app-lib/com.saurik.substrate-2/libsubstrate-dvm.so", "MSJavaHookMethod");
void* lookup_symbol(char* libraryname,char* symbolname)
{
void *imagehandle = dlopen(libraryname, RTLD_GLOBAL | RTLD_NOW);
if (imagehandle != NULL){
void * sym = dlsym(imagehandle, symbolname);
if (sym != NULL){
return sym; //发现Cydia Substrate相关模块
}
...
}
*/
private static void checkMaps() {
String so1 = "libsubstrate.so";
String so2 = "libsubstrate-dvm.so";
try {
BufferedReader bufferedReader = new BufferedReader(new FileReader("/proc/" + Process.myPid() + "/maps"));
while (true) {
String str = bufferedReader.readLine();
if (str == null) {
break;
}
if (str.endsWith("so")) {
if (str.contains(so1)) {
Log.i(TAG, "proc/pid/maps find libsubstrate.so -> " + str);
}
if (str.contains(so2)) {
Log.i(TAG, "proc/pid/maps find libsubstrate_dvm.so -> " + str);
}
}
// if (str.contains("hack|inject|hook|call")) { // 检测 maps 内的关键字
//
// }
}
} catch (Exception e) {
e.printStackTrace();
}
}
// 第二种方法:通过检测/proc/self/maps下的加载so库列表得到各个库文件绝度路径,通过fopen函数将so库的内容以16进制读进来放在内存里面进行规则比对,采用字符串模糊查找来检测是否命中黑名单中的方法特征码。
// 参考美团:https://tech.meituan.com/android_anti_hooking.html
}