日期:
来源:看雪学苑收集编辑:那年没下雪
本文为看雪论坛优秀文章
看雪论坛作者ID:那年没下雪
分享一些Xposed检测绕过的总结,很多加壳软件检测到xposed就会杀死当前软件进程。
1、绕过jar Class检测
// 过防止调用loadClass加载 de.robv.android.xposed.XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {if(param.args != null && param.args[0] != null && param.args[0].toString().startsWith("de.robv.android.xposed.")){// 改成一个不存在的类param.args[0] = "de.robv.android.xposed.ThTest";}super.beforeHookedMethod(param);}});
2、绕过堆栈检测
XposedHelpers.findAndHookMethod(StackTraceElement.class, "getClassName", new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {String result = (String) param.getResult();if (result != null){if (result.contains("de.robv.android.xposed.")) {param.setResult("");// Log.i(tag, "替换了,字符串名称 " + result);}else if(result.contains("com.android.internal.os.ZygoteInit")){param.setResult("");}}super.afterHookedMethod(param);}});
3、绕过包名检测
findAndHookMethod("android.app.ApplicationPackageManager", lpparam.classLoader, "getInstalledApplications", int.class, new XC_MethodHook() {@SuppressWarnings("unchecked")@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable { // Hook after getIntalledApplications is calledif (debugPref) {XposedBridge.log("Hooked getInstalledApplications");}List<ApplicationInfo> packages = (List<ApplicationInfo>) param.getResult(); // Get the results from the method callIterator<ApplicationInfo> iter = packages.iterator();ApplicationInfo tempAppInfo;String tempPackageName;// Iterate through the list of ApplicationInfo and remove any mentions that match a keyword in the keywordSetwhile (iter.hasNext()) {tempAppInfo = iter.next();tempPackageName = tempAppInfo.packageName;if (tempPackageName != null && tempPackageName.equals("de.robv.android.xposed.installer")) {iter.remove();if (debugPref) {XposedBridge.log("Found and hid package: " + tempPackageName);}}}param.setResult(packages); // Set the return value to the clean list}});
4、绕过jar文件检测:
Constructor<?> constructLayoutParams = findConstructorExact(java.io.File.class, String.class);XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {if (param.args[0] != null) {if (debugPref) {XposedBridge.log("File: Found a File constructor: " + ((String) param.args[0]));}}if (isRootCloakLoadingPref) {// RootCloak is trying to load it's preferences, we shouldn't block this.return;}if (((String) param.args[0]).contains("XposedBridge")) {if (debugPref) {XposedBridge.log("File: Found a File constructor with word super, noshufou, or chainfire");}param.args[0] = "/system/app/" + FAKE_FILE;}}});
5、绕过maps检测
XposedHelpers.findAndHookConstructor("java.io.FileReader",lpparam.classLoader ,String.class , new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {String arg0 = (String) param.args[0];if(arg0.toLowerCase().contains("/proc/")){param.setResult(null);}}});
6、绕过vxp检测
XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getProperty", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {String arg0 = (String)param.args[0];if(arg0.equals("vxp")){param.setResult(null);}}});
7、绕过SO检测
findAndHookMethod("java.lang.Runtime", lpparam.classLoader, "exec", String[].class, String[].class, File.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {if (debugPref) {XposedBridge.log("Hooked Runtime.exec");}String[] execArray = (String[]) param.args[0]; // Grab the tokenized array of commandsif ((execArray != null) && (execArray.length >= 1)) { // Do some checking so we don't break anythingString firstParam = execArray[0]; // firstParam is going to be the main command/program being runif (debugPref) { // If debugging is on, print out what is being calledString tempString = "Exec Command:";for (String temp : execArray) {tempString = tempString + " " + temp;}XposedBridge.log(tempString);}if (stringEndsWithFromSet(firstParam, commandSet)) { // Check if the firstParam is one of the keywords we want to filterif (debugPref) {XposedBridge.log("Found blacklisted command at the end of the string: " + firstParam);}// A bunch of logic follows since the solution depends on which command is being called// TODO: ***Clean up this logic***if (commandSet.contains("ls") && execArray.length >= 3 && execArray[1].contains("lib")) {param.setThrowable(new IOException());} else {param.setThrowable(new IOException());}if (debugPref && param.getThrowable() == null) { // Print out the new command if debugging is onString tempString = "New Exec Command:";for (String temp : (String[]) param.args[0]) {tempString = tempString + " " + temp;}XposedBridge.log(tempString);}}} else {if (debugPref) {XposedBridge.log("Null or empty array on exec");}}}});
8、绕过ClassPath检测
XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getenv", String.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {String arg0 = (String)param.args[0];if(arg0.equals("CLASSPATH")){param.setResult("FAKE.CLASSPATH");}}});
9、检测缓存
// 定义全局变量 modifyXposedHelpers.findAndHookMethod(Method.class, "getModifiers", new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {Method method = (Method)param.thisObject;String[] array = new String[] { "getDeviceId" };String method_name = method.getName();if(Arrays.asList(array).contains(method_name)){modify = 0;}else{modify = (int)param.getResult();}super.afterHookedMethod(param);}});XposedHelpers.findAndHookMethod(Modifier.class, "isNative", int.class, new XC_MethodHook() {@Overrideprotected void beforeHookedMethod(MethodHookParam param) throws Throwable {param.args[0] = modify;super.beforeHookedMethod(param);}});
看雪ID:那年没下雪
https://bbs.kanxue.com/user-home-884888.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!