一文带你了解android中对注入框架的检测。

964 阅读2分钟

(以下的检测来源于对某APP进行逆向分析得出的情况)

1.检测栈信息

image.png

2.检测包名信息

public static boolean xp1(Context context) {

        boolean scanPackage = scanPackage(context, new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5pbnN0YWxsZXI=", 2)));

        MLog.b("attack", "Installed xposed:" + scanPackage);

        return scanPackage;

}

解密
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5pbnN0YWxsZXI= = de.robv.android.xposed.installer
 

 

 public static boolean xp2(Context context) {

        StackTraceElement[] stackTrace;

        context.getFilesDir();

        try {

            throw new Exception("凸一_一凸");

        } catch (Exception e) {

            MLog.a("attack", e.getMessage());

            boolean z = false;

            for (StackTraceElement stackTraceElement : e.getStackTrace()) {

                if (stackTraceElement.getClassName().equals(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2))) && stackTraceElement.getMethodName().equals(new String(Base64.decode("bWFpbg==", 2)))) {

                    z = true;

                }

                if (stackTraceElement.getClassName().equals(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2))) && stackTraceElement.getMethodName().equals(new String(Base64.decode("aGFuZGxlSG9va2VkTWV0aG9k", 2)))) {

                    z = true;

                }

            }

            MLog.b("attack", "Exception hit:" + z);

            return z;

        }

    }

 

解密:

ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=de.robv.android.xposed.XposedBridge


aGFuZGxlSG9va2VkTWV0aG9k = handleHookedMethod

bWFpbg==main
 

 ```
 
```C++


  public static String xp3(Context context) {

        String str;

        context.getFilesDir();

        try {

            Field declaredField = DexAOPEntry.java_lang_ClassLoader_loadClass_proxy(ClassLoader.getSystemClassLoader(), new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRIZWxwZXJz", 2))).getDeclaredField(new String(Base64.decode("ZmllbGRDYWNoZQ==", 2)));

            declaredField.setAccessible(true);

            Map map = (Map) declaredField.get(null);

            ArrayList arrayList = new ArrayList();

            arrayList.addAll(map.keySet());

            str = new JSONArray(arrayList).toString();

        } catch (Exception e) {

            str = null;

        }

        MLog.b("attack", "FieldInHook msg:" + str);

        return str;

    }


解密:

ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRIZWxwZXJz =de.robv.android.xposed.XposedHelpers

ZmllbGRDYWNoZQ== fieldCache


 public static String xp4(Context context) {

        String str;

        context.getFilesDir();

        PackHookPlugin packHookPlugin = new PackHookPlugin(1);

        try {

            Field declaredField = DexAOPEntry.java_lang_ClassLoader_loadClass_proxy(ClassLoader.getSystemClassLoader(), new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2))).getDeclaredField(new String(Base64.decode("c0hvb2tlZE1ldGhvZENhbGxiYWNrcw==", 2)));

            declaredField.setAccessible(true);

            Map map = (Map) declaredField.get(null);

            Class java_lang_ClassLoader_loadClass_proxy = DexAOPEntry.java_lang_ClassLoader_loadClass_proxy(ClassLoader.getSystemClassLoader(), new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2UkQ29weU9uV3JpdGVTb3J0ZWRTZXQ=", 2)));

            Method declaredMethod = java_lang_ClassLoader_loadClass_proxy.getDeclaredMethod(new String(Base64.decode("Z2V0U25hcHNob3Q=", 2)), new Class[0]);

            for (Entry entry : map.entrySet()) {

                Member member = (Member) entry.getKey();

                Object value = entry.getValue();

                String a = ScanMethod.a(member.toString());

                if (!"".equals(a) && java_lang_ClassLoader_loadClass_proxy.isInstance(value)) {

                    for (Object obj : (Object[]) declaredMethod.invoke(value, new Object[0])) {

                        String[] split = obj.getClass().getClassLoader().toString().split("\"");

                        if (split.length > 1) {

                            packHookPlugin.a(StringTool.a(split, 1), a);

                        }

                    }

                }

            }

            JSONArray a2 = packHookPlugin.a();

            JSONArray methodToNative = methodToNative();

            if (a2 != null) {

                if (methodToNative != null) {

                    for (int i = 0; i < methodToNative.length(); i++) {

                        a2.put(methodToNative.getJSONObject(i));

                    }

                }

                str = a2.toString();

            } else {

                if (methodToNative != null) {

                    str = methodToNative.toString();

                }

                str = null;

            }

        } catch (Exception e) {

        }

        MLog.b("attack", "MethodInHook msg:" + str);

        return str;

}

解密:

ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=de.robv.android.xposed.XposedBridge

 

c0hvb2tlZE1ldGhvZENhbGxiYWNrcw== sHookedMethodCallbacks

ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2UkQ29weU9uV3JpdGVTb3J0ZWRTZXQ= de.robv.android.xposed.XposedBridge$CopyOnWriteSortedSet

Z2V0U25hcHNob3Q=getSnapshot

 ```
 
```C++


 public static boolean xp5(Context context) {

        try {

            Throwable th = new Throwable();

            th.setStackTrace(new StackTraceElement[]{new StackTraceElement(new String(Base64.decode("U2NhbkF0dGFjaw==", 2)), "", "", 0), new StackTraceElement(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2)), "", "", 0)});

            StackTraceElement[] stackTrace = th.getStackTrace();

            if (stackTrace.length != 2 || !stackTrace[1].getClassName().equals(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2)))) {

                return true;

            }

            return false;

        } catch (Exception e) {

            return false;

        }

    }

解密:

U2NhbkF0dGFjaw== ScanAttack

ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U= de.robv.android.xposed.XposedBridge


    public static boolean xp6(Context context) {

        try {

            StringWriter stringWriter = new StringWriter();

            new Throwable().printStackTrace(new PrintWriter(stringWriter));

            if (stringWriter.toString().contains(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZA==", 2)))) {

                return true;

            }

            return false;

        } catch (Exception e) {

            return false;

        }

    }

解密:ZGUucm9idi5hbmRyb2lkLnhwb3NlZA==de.robv.android.xposed