检测是否安装了xposed相关应用,检测调用栈道的可疑方法,检测并不应该native的native方法,通过/proc/[pid]/maps检测可疑的共享对象或者JAR。

移动开发 2023-06-05 12:49:51 阅读次数: 0



package com.greens1995.myapplication;


import android.content.Context;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.util.Log;


import java.io.BufferedReader;
import java.io.FileReader;
import java.util.HashSet;
import java.util.List;
import java.util.Set;


/**
 * Created by Ben on 2018/1/29.
 */


public class CheckHook {


    public static boolean isHook(Context context) {
        return isHookByPackageName(context) || isHookByStack(context) || isHookByJar();
    }


    /**
     * 包名检测
     *
     * @param context
     * @return
     */
    public static boolean isHookByPackageName(Context context) {
        boolean isHook = false;
        PackageManager packageManager = context.getPackageManager();
        List<ApplicationInfo> applicationInfoList = packageManager.getInstalledApplications(PackageManager.GET_META_DATA);
        if (null == applicationInfoList) {
            return isHook;
        }
        for (ApplicationInfo applicationInfo : applicationInfoList) {
            if (applicationInfo.packageName.equals("de.robv.android.xposed.installer")) {
                Log.wtf("HookDetection", "Xposed found on the system.");
                isHook = true;
            }
            if (applicationInfo.packageName.equals("com.saurik.substrate")) {
                isHook = true;
                Log.wtf("HookDetection", "Substrate found on the system.");
            }
        }
        return isHook;
    }
 // 1. 如果存在Xposed框架hook  
    // (1)在dalvik.system.NativeStart.main方法后出现de.robv.android.xposed.XposedBridge.main调用  
    // (2)如果Xposed hook了调用栈里的一个方法,  
    // 还会有de.robv.android.xposed.XposedBridge.handleHookedMethod  
    // 和de.robv.android.xposed.XposedBridge.invokeOriginalMethodNative调用  
  
    // 2. 如果存在Substrate框架hook  
    // (1)dalvik.system.NativeStart.main调用后会出现2次com.android.internal.os.ZygoteInit.main,而不是一次。  
    // (2)如果Substrate hook了调用栈里的一个方法,  
    // 还会出现com.saurik.substrate.MS$2.invoked,com.saurik.substrate.MS$MethodPointer.invoke还有跟Substrate扩展相关的方法 
    public static boolean isHookByStack(Context context) {
        boolean isHook = false;
        try {
            throw new Exception("blah");
        } catch (Exception e) {
            int zygoteInitCallCount = 0;
            for (StackTraceElement stackTraceElement : e.getStackTrace()) {
                if (stackTraceElement.getClassName().equals("com.android.internal.os.ZygoteInit")) {
                    zygoteInitCallCount++;
                    if (zygoteInitCallCount == 2) {
                        Log.wtf("HookDetection", "Substrate is active on the device.");
                        isHook = true;
                    }
                }
                if (stackTraceElement.getClassName().equals("com.saurik.substrate.MS$2") &&
                        stackTraceElement.getMethodName().equals("invoked")) {
                    Log.wtf("HookDetection", "A method on the stack trace has been hooked using Substrate.");
                    isHook = true;
                }
                if (stackTraceElement.getClassName().equals("de.robv.android.xposed.XposedBridge") &&
                        stackTraceElement.getMethodName().equals("main")) {
                    Log.wtf("HookDetection", "Xposed is active on the device.");
                    isHook = true;
                }
                if (stackTraceElement.getClassName().equals("de.robv.android.xposed.XposedBridge") &&
                        stackTraceElement.getMethodName().equals("handleHookedMethod")) {
                    Log.wtf("HookDetection", "A method on the stack trace has been hooked using Xposed.");
                    isHook = true;
                }


            }
        }
        return isHook;
    }


    public static boolean isHookByJar() {
        boolean isHook = false;
        try {
            Set<String> libraries = new HashSet();
            String mapsFilename = "/proc/" + android.os.Process.myPid() + "/maps";
            BufferedReader reader = new BufferedReader(new FileReader(mapsFilename));
            String line;
            while ((line = reader.readLine()) != null) {
                if (line.endsWith(".so") || line.endsWith(".jar")) {
                    int n = line.lastIndexOf(" ");
                    libraries.add(line.substring(n + 1));
                }
            }
            for (String library : libraries) {
                if (library.contains("com.saurik.substrate")) {
                    Log.wtf("HookDetection", "Substrate shared object found: " + library);
                    isHook = true;
                }
                if (library.contains("XposedBridge.jar")) {
                    Log.wtf("HookDetection", "Xposed JAR found: " + library);
                    isHook = true;
                }
            }
            reader.close();
        } catch (Exception e) {
            Log.wtf("HookDetection", e.toString());
        }
        return isHook;
    }
}


  

猜你喜欢

转载自blog.csdn.net/qq_37599041/article/details/80110088
今日推荐
周排行
Leetcode简单题61~80
解决zookeeper磁盘IO高的问题
多线程相关方法详解
Maven-setting.xml文件详解
Maven 项目的 classpath 理解
渊亭科技大数据笔试题
配置JVM内存分配
计算机网络个人学习笔记 (三)网络层 :第三部分 连载
js中两个等号(==)和三个等号(===)的区别
用C程序自动打开电脑上的程序
每日归档
更多
2024-09-18(0)
2024-09-17(0)
2024-09-16(0)
2024-09-15(0)
2024-09-14(0)
2024-09-13(0)
2024-09-12(0)
2024-09-11(0)
2024-09-10(0)
2024-09-09(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022