新功能

moyuwa · Jan 26, 2024 · ab2814a · ab2814a
1 parent aa300f8
commit ab2814a
Show file tree

Hide file tree

Showing 6 changed files with 164 additions and 7 deletions.
diff --git a/ACPverifyAllSignatureVersions.go b/ACPverifyAllSignatureVersions.go
@@ -0,0 +1,31 @@
+package main
+
+import (
+	"fmt"
+	"github.com/avast/apkverifier"
+	"os"
+)
+
+func verifyApk(apkpath string) bool {
+	//读取配置
+	res, err := apkverifier.Verify(apkpath, nil)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Verification failed: %s\n", err.Error())
+		return false
+	}
+	//判断是否为V1版本
+	if res.SigningSchemeId == 1 {
+		fmt.Printf("Verification scheme used: v%d 版本签名,有Janus漏洞!\n", res.SigningSchemeId)
+	} else {
+		fmt.Printf("Verification scheme used: v%d 版本签名,无Janus漏洞!\n", res.SigningSchemeId)
+	}
+	//输出相信信息
+	cert, _ := apkverifier.PickBestApkCert(res.SignerCerts)
+	if cert == nil {
+		fmt.Printf("No certificate found.\n")
+	} else {
+		fmt.Println(cert)
+	}
+
+	return true
+}
diff --git a/PackByLibSo.go b/PackByLibSo.go
@@ -30,23 +30,23 @@ func PackByLibSo(apkpath string) bool {
 			//fmt.Println("Sopath:", s)
 			for _, file := range apkReader.File {
 				if file.Name == s {
-					fmt.Printf("Sopath %s->%s\n", key, file.Name)
+					fmt.Printf("发现加固特征 Sopath  %s->%s\n", key, file.Name)
 				}
 			}
 		}
 		for _, s := range value.Soname {
 			//fmt.Println("Soname:", s)
 			for _, file := range apkReader.File {
 				if strings.Contains(file.Name, s) {
-					fmt.Printf("Soname %s->%s\n", key, file.Name)
+					fmt.Printf("发现加固特征 Soname  %s->%s\n", key, file.Name)
 				}
 			}
 		}
 		for _, s := range value.Other {
 			//fmt.Println("Other:", s)
 			for _, file := range apkReader.File {
 				if strings.Contains(file.Name, s) {
-					fmt.Printf("Other %s->%s\n", key, file.Name)
+					fmt.Printf("发现加固特征 Other   %s->%s\n", key, file.Name)
 				}
 			}
 		}
@@ -55,7 +55,7 @@ func PackByLibSo(apkpath string) bool {
 			for _, file := range apkReader.File {
 				re := regexp.MustCompile(s)
 				if re.MatchString(file.Name) {
-					fmt.Printf("Soregex %s->%s\n", key, file.Name)
+					fmt.Printf("发现加固特征 Soregex %s->%s\n", key, file.Name)
 				}
 			}
 		}

diff --git a/README.md b/README.md
@@ -26,10 +26,13 @@
 
 ![gui1](run1.png)
 
+![gui1](run2.png)
+
 未来可能有的（大概率没有）
 
     特征so库扫描	通过对比加固特征so库名/路径，判断是否有加固	√
-    校验签名	校验V2签名，判断是否存在Janus漏洞	×
-    com包名	搜索com包名，判断是否有套层加固	×
-    Dex泄露扫描	扫描Dex文件内容，扫描是否有密钥字符串	×
+    校验签名	校验V2签名，判断是否存在Janus漏洞	                √
+    com包名	搜索com包名，判断是否有套层加固	                ×
+    Dex泄露扫描	扫描Dex文件内容，匹配是否有密钥字符串	        ×
+    环境检测扫描	扫描Dex文件搜索是否有Root、模拟器检测	        √
     加固原理判断	对未知加固（厂商），判断是第几代加固，提示脱壳方向	×
diff --git a/ScanAntiByDex.go b/ScanAntiByDex.go
@@ -0,0 +1,120 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"github.com/avast/apkparser"
+	"os"
+	"path"
+)
+
+// root检测常见 路径、字符串
+var rootstringsCommonpaths = []string{
+	"/cache/.disable_magisk",
+	"/cache/magisk.log",
+	"/cache/su",
+	"/data/adb/ksu",
+	"/data/adb/ksud",
+	"/data/adb/magisk",
+	"/data/adb/magisk.db",
+	"/data/adb/magisk.img",
+	"/data/adb/magisk_simple",
+	"/data/local/bin/su",
+	"/data/local/su",
+	"/data/local/xbin/su",
+	"/data/su",
+	"/dev/.magisk.unblock",
+	"/dev/com.koushikdutta.superuser.daemon/",
+	"/dev/su",
+	"/init.magisk.rc",
+	"/sbin/.magisk",
+	"/sbin/su",
+	"/su/bin/su",
+	"/system/app/Kinguser.apk",
+	"/system/app/Superuser.apk",
+	"/system/bin/.ext/su",
+	"/system/bin/failsafe/su",
+	"/system/bin/su",
+	"/system/etc/init.d/99SuperSUDaemon",
+	"/system/sbin/su",
+	"/system/sd/xbin/su",
+	"/system/usr/we-need-root/su",
+	"/system/xbin/busybox",
+	"/system/xbin/daemonsu",
+	"/system/xbin/ku.sud",
+	"/system/xbin/su",
+	"/vendor/bin/su",
+	"Kinguser.apk",  //某些检测会将路径字符串分开
+	"Superuser.apk", //某些检测会将路径字符串分开
+	"/system/xbin/", //某些检测会将路径字符串分开
+	"/vendor/bin/",  //某些检测会将路径字符串分开
+}
+
+// root检测常见 apk 包名字符串
+var rootstringsmanagementApp = []string{
+	"com.chelpus.lackypatch",
+	"com.dimonvideo.luckypatcher",
+	"com.koushikdutta.rommanager",
+	"com.koushikdutta.rommanager.license",
+	"com.koushikdutta.superuser",
+	"com.noshufou.android.su",
+	"com.noshufou.android.su.elite",
+	"com.ramdroid.appquarantine",
+	"com.ramdroid.appquarantinepro",
+	"com.thirdparty.superuser",
+	"com.topjohnwu.magisk",
+	"com.yellowes.su",
+	"eu.chainfire.supersu",
+	"me.weishu.kernelsu",
+}
+
+// 模拟器检查
+var emulatorStrings = []string{
+	"tel:123456",
+	"test-keys",
+	"goldfish",
+	"android-test",
+	"000000000000000",
+	"/dev/socket/qemud",
+	"/dev/qemu_pipe",
+	"/dev/qemu_trace",
+}
+
+func ScanDexAnti(dexData []byte, filePath string) {
+	// 搜索dex文件中是否包含root检测特征字符串
+	for _, str := range rootstringsCommonpaths {
+		if bytes.Contains(dexData, []byte(str)) {
+			fmt.Printf("发现ROOT检测特征   [dex]: %s->%s\n", str, filePath)
+			break
+		}
+	}
+	// 搜索dex文件中是否包含模拟器检测特征字符串
+	for _, str := range emulatorStrings {
+		if bytes.Contains(dexData, []byte(str)) {
+			fmt.Printf("发现模拟器检测特征 [dex]: %s->%s\n", str, filePath)
+			break
+		}
+	}
+}
+
+func ScanAPKAnti(apkpath string) bool {
+	//解析apk文件
+	apkReader, err := apkparser.OpenZip(apkpath)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		return false
+	}
+	defer apkReader.Close()
+
+	// 读取dex文件扫描
+	for _, file := range apkReader.File {
+		if path.Ext(file.Name) == ".dex" {
+			//fmt.Printf("Scan %s\n", file.Name)
+			var dexData = []byte{}
+			dexData, err = file.ReadAll(1024 * 1024 * 100) //单个文件读取最大设置为100MB
+			ScanDexAnti(dexData, file.Name)
+		}
+	}
+
+	return true
+}
diff --git a/main.go b/main.go
@@ -67,5 +67,8 @@ func scanAPKFolder(folderPath string) error {
 func scanAPKFile(filePath string) error {
 	//fmt.Printf("scanAPKFile")
 	PackByLibSo(filePath)
+	ScanAPKAnti(filePath)
+	//ScanAPKHardCoded(filePath) //匹配规则待调整，先不上
+	verifyApk(filePath)
 	return nil
 }
diff --git a/run2.png b/run2.png