Skip to content

Commit

Permalink
v1.1
Browse files Browse the repository at this point in the history 
添加反调试检测扫描
  • Loading branch information
@moyuwa
moyuwa committed Apr 29, 2024
1 parent 9c00ce4 commit 1032c21
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@
√ 特征so库扫描:通过对比加固特征so库名/路径,判断是否有加固
√ 校验签名:校验V2签名,判断是否存在Janus漏洞
√ 密钥泄露:扫描Apk文件内容,匹配是否有密钥字符串
√ 反环境检测:扫描Dex文件搜索是否有Root、模拟器检测
√ 反环境检测:扫描Dex文件搜索是否有Root、模拟器、反调试检测
20 changes: 20 additions & 0 deletions ScanAntiByDex.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,19 @@ var emulatorStrings = []string{
"/dev/qemu_trace",
}

// 反调试检测
var DebugStrings = []string{
"checkFridaRunningProcesses", //getSystemService("activity").getRunningServices(300)
"checkRunningProcesses", //"frida-server"、"fridaserver"
"checkRunningServices", //supersu、superuser进程名检测
"threadCpuTimeNanos", // cpu计算时间差检测是否被调试
"TamperingWithJavaRuntime", //篡改Java运行时
"com.android.internal.os.ZygoteInit", //篡改Java运行时
"com.saurik.substrate.MS$2", //篡改Java运行时
"de.robv.android.xposed.XposedBridge", //篡改Java运行时
"detectBypassSSL",
}

func ScanDexAnti(dexData []byte, filePath string) {
// 搜索dex文件中是否包含root检测特征字符串
for _, str := range rootstringsCommonpaths {
Expand All @@ -95,6 +108,13 @@ func ScanDexAnti(dexData []byte, filePath string) {
break
}
}
// 搜索dex文件中是否包含运行篡改检测特征函数
for _, str := range DebugStrings {
if bytes.Contains(dexData, []byte(str)) {
fmt.Printf("发现反调试检测特征 [dex]: %s->%s\n", str, filePath)
//break //因为包含了反调试、反sslbypass、反java运行篡改 不做直接跳出
}
}
}

func ScanAPKAnti(apkpath string) bool {
Expand Down

0 comments on commit 1032c21

Please sign in to comment.