分享一些Xposed检测绕过的总结,很多加壳软件检测到xposed就会杀死当前软件进程。。。
1.绕过jar Class检测
2.绕过堆栈检测
3.绕过包名检测
4.绕过jar文件检测:
5.绕过maps检测
6.绕过vxp检测
7.绕过SO检测
8.绕过ClassPath检测
9.检测缓存
/
/
过防止调用loadClass加载 de.robv.android.xposed.
XposedHelpers.findAndHookMethod(ClassLoader.
class
,
"loadClass"
, String.
class
, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
if
(param.args !
=
null && param.args[
0
] !
=
null && param.args[
0
].toString().startsWith(
"de.robv.android.xposed."
)){
/
/
改成一个不存在的类
param.args[
0
]
=
"de.robv.android.xposed.ThTest"
;
}
super
.beforeHookedMethod(param);
}
});
/
/
过防止调用loadClass加载 de.robv.android.xposed.
XposedHelpers.findAndHookMethod(ClassLoader.
class
,
"loadClass"
, String.
class
, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
if
(param.args !
=
null && param.args[
0
] !
=
null && param.args[
0
].toString().startsWith(
"de.robv.android.xposed."
)){
/
/
改成一个不存在的类
param.args[
0
]
=
"de.robv.android.xposed.ThTest"
;
}
super
.beforeHookedMethod(param);
}
});
XposedHelpers.findAndHookMethod(StackTraceElement.
class
,
"getClassName"
, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
String result
=
(String) param.getResult();
if
(result !
=
null){
if
(result.contains(
"de.robv.android.xposed."
)) {
param.setResult("");
/
/
Log.i(tag,
"替换了,字符串名称 "
+
result);
}
else
if
(result.contains(
"com.android.internal.os.ZygoteInit"
)){
param.setResult("");
}
}
super
.afterHookedMethod(param);
}
});
XposedHelpers.findAndHookMethod(StackTraceElement.
class
,
"getClassName"
, new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
String result
=
(String) param.getResult();
if
(result !
=
null){
if
(result.contains(
"de.robv.android.xposed."
)) {
param.setResult("");
/
/
Log.i(tag,
"替换了,字符串名称 "
+
result);
}
else
if
(result.contains(
"com.android.internal.os.ZygoteInit"
)){
param.setResult("");
}
}
super
.afterHookedMethod(param);
}
});
findAndHookMethod(
"android.app.ApplicationPackageManager"
, lpparam.classLoader,
"getInstalledApplications"
,
int
.
class
, new XC_MethodHook() {
@SuppressWarnings
(
"unchecked"
)
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
/
/
Hook after getIntalledApplications
is
called
if
(debugPref) {
XposedBridge.log(
"Hooked getInstalledApplications"
);
}
List
<ApplicationInfo> packages
=
(
List
<ApplicationInfo>) param.getResult();
/
/
Get the results
from
the method call
Iterator<ApplicationInfo>
iter
=
packages.iterator();
ApplicationInfo tempAppInfo;
String tempPackageName;
/
/
Iterate through the
list
of ApplicationInfo
and
remove
any
mentions that match a keyword
in
the keywordSet
while
(
iter
.hasNext()) {
tempAppInfo
=
iter
.
next
();
tempPackageName
=
tempAppInfo.packageName;
if
(tempPackageName !
=
null && tempPackageName.equals(
"de.robv.android.xposed.installer"
)) {
iter
.remove();
if
(debugPref) {
XposedBridge.log(
"Found and hid package: "
+
tempPackageName);
}
}
}
param.setResult(packages);
/
/
Set
the
return
value to the clean
list
}
});
findAndHookMethod(
"android.app.ApplicationPackageManager"
, lpparam.classLoader,
"getInstalledApplications"
,
int
.
class
, new XC_MethodHook() {
@SuppressWarnings
(
"unchecked"
)
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
/
/
Hook after getIntalledApplications
is
called
if
(debugPref) {
XposedBridge.log(
"Hooked getInstalledApplications"
);
}
List
<ApplicationInfo> packages
=
(
List
<ApplicationInfo>) param.getResult();
/
/
Get the results
from
the method call
Iterator<ApplicationInfo>
iter
=
packages.iterator();
ApplicationInfo tempAppInfo;
String tempPackageName;
/
/
Iterate through the
list
of ApplicationInfo
and
remove
any
mentions that match a keyword
in
the keywordSet
while
(
iter
.hasNext()) {
tempAppInfo
=
iter
.
next
();
tempPackageName
=
tempAppInfo.packageName;
if
(tempPackageName !
=
null && tempPackageName.equals(
"de.robv.android.xposed.installer"
)) {
iter
.remove();
if
(debugPref) {
XposedBridge.log(
"Found and hid package: "
+
tempPackageName);
}
}
}
param.setResult(packages);
/
/
Set
the
return
value to the clean
list
}
});
Constructor<?> constructLayoutParams
=
findConstructorExact(java.io.
File
.
class
, String.
class
);
XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
if
(param.args[
0
] !
=
null) {
if
(debugPref) {
XposedBridge.log(
"File: Found a File constructor: "
+
((String) param.args[
0
]));
}
}
if
(isRootCloakLoadingPref) {
/
/
RootCloak
is
trying to load it
's preferences, we shouldn'
t block this.
return
;
}
if
(((String) param.args[
0
]).contains(
"XposedBridge"
)) {
if
(debugPref) {
XposedBridge.log(
"File: Found a File constructor with word super, noshufou, or chainfire"
);
}
param.args[
0
]
=
"/system/app/"
+
FAKE_FILE;
}
}
});
Constructor<?> constructLayoutParams
=
findConstructorExact(java.io.
File
.
class
, String.
class
);
XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
if
(param.args[
0
] !
=
null) {
if
(debugPref) {
XposedBridge.log(
"File: Found a File constructor: "
+
((String) param.args[
0
]));
}
}
if
(isRootCloakLoadingPref) {
/
/
RootCloak
is
trying to load it
's preferences, we shouldn'
t block this.
return
;
}
if
(((String) param.args[
0
]).contains(
"XposedBridge"
)) {
if
(debugPref) {
XposedBridge.log(
"File: Found a File constructor with word super, noshufou, or chainfire"
);
}
param.args[
0
]
=
"/system/app/"
+
FAKE_FILE;
}
}
});
XposedHelpers.findAndHookConstructor(
"java.io.FileReader"
,lpparam.classLoader ,String.
class
, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
String arg0
=
(String) param.args[
0
];
if
(arg0.toLowerCase().contains(
"/proc/"
)){
param.setResult(null);
}
}
});
XposedHelpers.findAndHookConstructor(
"java.io.FileReader"
,lpparam.classLoader ,String.
class
, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
String arg0
=
(String) param.args[
0
];
if
(arg0.toLowerCase().contains(
"/proc/"
)){
param.setResult(null);
}
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)