首页
社区
课程
招聘
Xposed检测绕过
2022-1-30 12:58 16156

Xposed检测绕过

2022-1-30 12:58
16156

分享一些Xposed检测绕过的总结,很多加壳软件检测到xposed就会杀死当前软件进程。。。

 

1.绕过jar Class检测

1
2
3
4
5
6
7
8
9
10
11
12
13
// 过防止调用loadClass加载 de.robv.android.xposed.
        XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                if(param.args != null && param.args[0] != null && param.args[0].toString().startsWith("de.robv.android.xposed.")){
 
                    // 改成一个不存在的类
                    param.args[0] = "de.robv.android.xposed.ThTest";
                }
 
                super.beforeHookedMethod(param);
            }
        });

2.绕过堆栈检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
XposedHelpers.findAndHookMethod(StackTraceElement.class, "getClassName", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                String result = (String) param.getResult();
                if (result != null){
                    if (result.contains("de.robv.android.xposed.")) {
                        param.setResult("");
                        // Log.i(tag, "替换了,字符串名称 " + result);
                    }else if(result.contains("com.android.internal.os.ZygoteInit")){
                        param.setResult("");
                    }
                }
 
                super.afterHookedMethod(param);
            }
        });

3.绕过包名检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
findAndHookMethod("android.app.ApplicationPackageManager", lpparam.classLoader, "getInstalledApplications", int.class, new XC_MethodHook() {
            @SuppressWarnings("unchecked")
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable { // Hook after getIntalledApplications is called
                if (debugPref) {
                    XposedBridge.log("Hooked getInstalledApplications");
                }
 
                List<ApplicationInfo> packages = (List<ApplicationInfo>) param.getResult(); // Get the results from the method call
                Iterator<ApplicationInfo> iter = packages.iterator();
                ApplicationInfo tempAppInfo;
                String tempPackageName;
 
 
                // Iterate through the list of ApplicationInfo and remove any mentions that match a keyword in the keywordSet
                while (iter.hasNext()) {
                    tempAppInfo = iter.next();
                    tempPackageName = tempAppInfo.packageName;
                    if (tempPackageName != null && tempPackageName.equals("de.robv.android.xposed.installer")) {
                        iter.remove();
                        if (debugPref) {
                            XposedBridge.log("Found and hid package: " + tempPackageName);
                        }
                    }
                }
 
                param.setResult(packages); // Set the return value to the clean list
            }
        });

4.绕过jar文件检测:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Constructor<?> constructLayoutParams = findConstructorExact(java.io.File.class, String.class);
        XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                if (param.args[0] != null) {
                    if (debugPref) {
                        XposedBridge.log("File: Found a File constructor: " + ((String) param.args[0]));
                    }
                }
 
                if (isRootCloakLoadingPref) {
                    // RootCloak is trying to load it's preferences, we shouldn't block this.
                    return;
                }
                if (((String) param.args[0]).contains("XposedBridge")) {
                    if (debugPref) {
                        XposedBridge.log("File: Found a File constructor with word super, noshufou, or chainfire");
                    }
                    param.args[0] = "/system/app/" + FAKE_FILE;
                }
            }
        });

5.绕过maps检测

1
2
3
4
5
6
7
8
9
XposedHelpers.findAndHookConstructor("java.io.FileReader",lpparam.classLoader ,String.class , new XC_MethodHook() {
          @Override
          protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
              String arg0 = (String) param.args[0];
              if(arg0.toLowerCase().contains("/proc/")){
                  param.setResult(null);
              }
          }
      });

6.绕过vxp检测

1
2
3
4
5
6
7
8
9
XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getProperty", String.class, new XC_MethodHook() {
           @Override
           protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
               String arg0 = (String)param.args[0];
               if(arg0.equals("vxp")){
                   param.setResult(null);
               }
           }
       });

7.绕过SO检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
findAndHookMethod("java.lang.Runtime", lpparam.classLoader, "exec", String[].class, String[].class, File.class, new XC_MethodHook() {
           @Override
           protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
               if (debugPref) {
                   XposedBridge.log("Hooked Runtime.exec");
               }
 
               String[] execArray = (String[]) param.args[0]; // Grab the tokenized array of commands
               if ((execArray != null) && (execArray.length >= 1)) { // Do some checking so we don't break anything
                   String firstParam = execArray[0]; // firstParam is going to be the main command/program being run
                   if (debugPref) { // If debugging is on, print out what is being called
                       String tempString = "Exec Command:";
                       for (String temp : execArray) {
                           tempString = tempString + " " + temp;
                       }
                       XposedBridge.log(tempString);
                   }
 
                   if (stringEndsWithFromSet(firstParam, commandSet)) { // Check if the firstParam is one of the keywords we want to filter
                       if (debugPref) {
                           XposedBridge.log("Found blacklisted command at the end of the string: " + firstParam);
                       }
 
                       // A bunch of logic follows since the solution depends on which command is being called
                       // TODO: ***Clean up this logic***
                       if (commandSet.contains("ls") && execArray.length >= 3 && execArray[1].contains("lib")) {
                           param.setThrowable(new IOException());
                       } else {
                           param.setThrowable(new IOException());
                       }
 
                       if (debugPref && param.getThrowable() == null) { // Print out the new command if debugging is on
                           String tempString = "New Exec Command:";
                           for (String temp : (String[]) param.args[0]) {
                               tempString = tempString + " " + temp;
                           }
                           XposedBridge.log(tempString);
                       }
                   }
               } else {
                   if (debugPref) {
                       XposedBridge.log("Null or empty array on exec");
                   }
               }
           }
       });

8.绕过ClassPath检测

1
2
3
4
5
6
7
8
9
XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getenv", String.class, new XC_MethodHook() {
           @Override
           protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
               String arg0 = (String)param.args[0];
               if(arg0.equals("CLASSPATH")){
                   param.setResult("FAKE.CLASSPATH");
               }
           }
       });

9.检测缓存

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// 定义全局变量 modify
XposedHelpers.findAndHookMethod(Method.class, "getModifiers", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                Method method = (Method)param.thisObject;
                String[] array = new String[] { "getDeviceId" };
                String method_name = method.getName();
                if(Arrays.asList(array).contains(method_name)){
                    modify = 0;
                }else{
                    modify = (int)param.getResult();
                }
 
                super.afterHookedMethod(param);
            }
        });
 
        XposedHelpers.findAndHookMethod(Modifier.class, "isNative", int.class, new XC_MethodHook() {
            @Override
            protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                param.args[0] = modify;
 
                super.beforeHookedMethod(param);
            }
        });

[培训]《安卓高级研修班(网课)》月薪三万计划

收藏
点赞6
打赏
分享
最新回复 (10)
雪    币: 198
活跃值: (616)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
乐不思蜀1 2022-1-30 18:55
2
0
学习了
雪    币: 199
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
wx_洛玖川 2022-3-8 14:49
3
0
666
雪    币: 27
活跃值: (5010)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
不吃早饭 2022-3-8 15:33
4
0
你这绕过简直就在小瞧天下人
雪    币: 7745
活跃值: (21142)
能力值: ( LV12,RANK:550 )
在线值:
发帖
回帖
粉丝
随风而行aa 10 2022-3-8 15:56
5
0
支持支持
雪    币: 18
活跃值: (87)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
无名小姐 2022-4-5 19:38
6
0
感谢感谢
雪    币: 300
活跃值: (214)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
wanderdeng 2022-4-12 16:25
7
0
实测无效
雪    币: 514
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
aqingadmin 2022-7-25 20:02
8
0
有的app不杀死进程  但是hook注入不进去。
雪    币: 3467
活跃值: (2317)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
文西哥 2023-2-22 22:44
9
0
学习到了
雪    币: 0
活跃值: (158)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
梦幻雪月 2023-12-14 15:42
10
0
.绕过jar文件检测:中的isRootCloakLoadingPref  在哪里获取  
FAKE_FILE值是什么!?
雪    币: 1060
活跃值: (495)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
TrumpWY 2023-12-18 18:46
11
0
Shamiko  隐藏应用列表  这些要是能完全隐藏    不就不怕被检测了么
游客
登录 | 注册 方可回帖
返回