Xposed檢測繞過
VSole2023-03-06 14:36:15
分享一些Xposed檢測繞過的總結,很多加殼軟件檢測到xposed就會殺死當前軟件進程。
1、繞過jar Class檢測
// 過防止調用loadClass加載 de.robv.android.xposed. XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { if(param.args != null && param.args[0] != null && param.args[0].toString().startsWith("de.robv.android.xposed.")){ // 改成一個不存在的類 param.args[0] = "de.robv.android.xposed.ThTest"; } super.beforeHookedMethod(param); } });
2、繞過堆棧檢測
XposedHelpers.findAndHookMethod(StackTraceElement.class, "getClassName", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { String result = (String) param.getResult(); if (result != null){ if (result.contains("de.robv.android.xposed.")) { param.setResult(""); // Log.i(tag, "替換了,字符串名稱 " + result); }else if(result.contains("com.android.internal.os.ZygoteInit")){ param.setResult(""); } } super.afterHookedMethod(param); } });
3、繞過包名檢測
findAndHookMethod("android.app.ApplicationPackageManager", lpparam.classLoader, "getInstalledApplications", int.class, new XC_MethodHook() { @SuppressWarnings("unchecked") @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { // Hook after getIntalledApplications is called if (debugPref) { XposedBridge.log("Hooked getInstalledApplications"); } List packages = (List) param.getResult(); // Get the results from the method call Iterator iter = packages.iterator(); ApplicationInfo tempAppInfo; String tempPackageName; // Iterate through the list of ApplicationInfo and remove any mentions that match a keyword in the keywordSet while (iter.hasNext()) { tempAppInfo = iter.next(); tempPackageName = tempAppInfo.packageName; if (tempPackageName != null && tempPackageName.equals("de.robv.android.xposed.installer")) { iter.remove(); if (debugPref) { XposedBridge.log("Found and hid package: " + tempPackageName); } } } param.setResult(packages); // Set the return value to the clean list } });
4、繞過jar文件檢測:
Constructor constructLayoutParams = findConstructorExact(java.io.File.class, String.class); XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { if (param.args[0] != null) { if (debugPref) { XposedBridge.log("File: Found a File constructor: " + ((String) param.args[0])); } } if (isRootCloakLoadingPref) { // RootCloak is trying to load it's preferences, we shouldn't block this. return; } if (((String) param.args[0]).contains("XposedBridge")) { if (debugPref) { XposedBridge.log("File: Found a File constructor with word super, noshufou, or chainfire"); } param.args[0] = "/system/app/" + FAKE_FILE; } } });
5、繞過maps檢測
XposedHelpers.findAndHookConstructor("java.io.FileReader",lpparam.classLoader ,String.class , new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { String arg0 = (String) param.args[0]; if(arg0.toLowerCase().contains("/proc/")){ param.setResult(null); } } });
6、繞過vxp檢測
XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getProperty", String.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { String arg0 = (String)param.args[0]; if(arg0.equals("vxp")){ param.setResult(null); } } });
7、繞過SO檢測
findAndHookMethod("java.lang.Runtime", lpparam.classLoader, "exec", String[].class, String[].class, File.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { if (debugPref) { XposedBridge.log("Hooked Runtime.exec"); } String[] execArray = (String[]) param.args[0]; // Grab the tokenized array of commands if ((execArray != null) && (execArray.length >= 1)) { // Do some checking so we don't break anything String firstParam = execArray[0]; // firstParam is going to be the main command/program being run if (debugPref) { // If debugging is on, print out what is being called String tempString = "Exec Command:"; for (String temp : execArray) { tempString = tempString + " " + temp; } XposedBridge.log(tempString); } if (stringEndsWithFromSet(firstParam, commandSet)) { // Check if the firstParam is one of the keywords we want to filter if (debugPref) { XposedBridge.log("Found blacklisted command at the end of the string: " + firstParam); } // A bunch of logic follows since the solution depends on which command is being called // TODO: ***Clean up this logic*** if (commandSet.contains("ls") && execArray.length >= 3 && execArray[1].contains("lib")) { param.setThrowable(new IOException()); } else { param.setThrowable(new IOException()); } if (debugPref && param.getThrowable() == null) { // Print out the new command if debugging is on String tempString = "New Exec Command:"; for (String temp : (String[]) param.args[0]) { tempString = tempString + " " + temp; } XposedBridge.log(tempString); } } } else { if (debugPref) { XposedBridge.log("Null or empty array on exec"); } } } });
8、繞過ClassPath檢測
XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getenv", String.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { String arg0 = (String)param.args[0]; if(arg0.equals("CLASSPATH")){ param.setResult("FAKE.CLASSPATH"); } } });
9、檢測緩存
// 定義全局變量 modifyXposedHelpers.findAndHookMethod(Method.class, "getModifiers", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { Method method = (Method)param.thisObject; String[] array = new String[] { "getDeviceId" }; String method_name = method.getName(); if(Arrays.asList(array).contains(method_name)){ modify = 0; }else{ modify = (int)param.getResult(); } super.afterHookedMethod(param); } }); XposedHelpers.findAndHookMethod(Modifier.class, "isNative", int.class, new XC_MethodHook() { @Override protected void beforeHookedMethod(MethodHookParam param) throws Throwable { param.args[0] = modify; super.beforeHookedMethod(param); } });
VSole
網絡安全專家