Xposed检测绕过-优快云博客

本文链接：https://blog.youkuaiyun.com/2503_90751938/article/details/146460685

1.绕过jar Class检测

// 过防止调用loadClass加载 de.robv.android.xposed.

XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, new XC_MethodHook() {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

if(param.args != null && param.args[0] != null && param.args[0].toString().startsWith("de.robv.android.xposed.")){

// 改成一个不存在的类

param.args[0] = "de.robv.android.xposed.ThTest";

}

super.beforeHookedMethod(param);

}

});

2.绕过堆栈检测

XposedHelpers.findAndHookMethod(StackTraceElement.class, "getClassName", new XC_MethodHook() {

@Override

protected void afterHookedMethod(MethodHookParam param) throws Throwable {

String result = (String) param.getResult();

if (result != null){

if (result.contains("de.robv.android.xposed.")) {

param.setResult("");

// Log.i(tag, "替换了，字符串名称 " + result);

}else if(result.contains("com.android.internal.os.ZygoteInit")){

param.setResult("");

}

super.afterHookedMethod(param);

}

});

3.绕过包名检测

findAndHookMethod("android.app.ApplicationPackageManager", lpparam.classLoader, "getInstalledApplications", int.class, new XC_MethodHook() {

@SuppressWarnings("unchecked")

@Override

protected void afterHookedMethod(MethodHookParam param) throws Throwable { // Hook after getIntalledApplications is called

if (debugPref) {

XposedBridge.log("Hooked getInstalledApplications");

}

List<ApplicationInfo> packages = (List<ApplicationInfo>) param.getResult(); // Get the results from the method call

Iterator<ApplicationInfo> iter = packages.iterator();

ApplicationInfo tempAppInfo;

String tempPackageName;

// Iterate through the list of ApplicationInfo and remove any mentions that match a keyword in the keywordSet

while (iter.hasNext()) {

tempAppInfo = iter.next();

tempPackageName = tempAppInfo.packageName;

if (tempPackageName != null && tempPackageName.equals("de.robv.android.xposed.installer")) {

iter.remove();

if (debugPref) {

XposedBridge.log("Found and hid package: " + tempPackageName);

}

param.setResult(packages); // Set the return value to the clean list

}

});

4.绕过jar文件检测：

Constructor<?> constructLayoutParams = findConstructorExact(java.io.File.class, String.class);

XposedBridge.hookMethod(constructLayoutParams, new XC_MethodHook(XCallback.PRIORITY_HIGHEST) {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

if (param.args[0] != null) {

if (debugPref) {

XposedBridge.log("File: Found a File constructor: " + ((String) param.args[0]));

}

if (isRootCloakLoadingPref) {

// RootCloak is trying to load it's preferences, we shouldn't block this.

return;

}

if (((String) param.args[0]).contains("XposedBridge")) {

if (debugPref) {

XposedBridge.log("File: Found a File constructor with word super, noshufou, or chainfire");

}

param.args[0] = "/system/app/" + FAKE_FILE;

}

});

5.绕过maps检测

XposedHelpers.findAndHookConstructor("java.io.FileReader",lpparam.classLoader ,String.class , new XC_MethodHook() {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

String arg0 = (String) param.args[0];

if(arg0.toLowerCase().contains("/proc/")){

param.setResult(null);

}

});

6.绕过vxp检测

XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getProperty", String.class, new XC_MethodHook() {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

String arg0 = (String)param.args[0];

if(arg0.equals("vxp")){

param.setResult(null);

}

});

7.绕过SO检测

findAndHookMethod("java.lang.Runtime", lpparam.classLoader, "exec", String[].class, String[].class, File.class, new XC_MethodHook() {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

if (debugPref) {

XposedBridge.log("Hooked Runtime.exec");

}

String[] execArray = (String[]) param.args[0]; // Grab the tokenized array of commands

if ((execArray != null) && (execArray.length >= 1)) { // Do some checking so we don't break anything

String firstParam = execArray[0]; // firstParam is going to be the main command/program being run

if (debugPref) { // If debugging is on, print out what is being called

String tempString = "Exec Command:";

for (String temp : execArray) {

tempString = tempString + " " + temp;

}

XposedBridge.log(tempString);

}

if (stringEndsWithFromSet(firstParam, commandSet)) { // Check if the firstParam is one of the keywords we want to filter

if (debugPref) {

XposedBridge.log("Found blacklisted command at the end of the string: " + firstParam);

}

// A bunch of logic follows since the solution depends on which command is being called

// TODO: ***Clean up this logic***

if (commandSet.contains("ls") && execArray.length >= 3 && execArray[1].contains("lib")) {

param.setThrowable(new IOException());

} else {

param.setThrowable(new IOException());

}

if (debugPref && param.getThrowable() == null) { // Print out the new command if debugging is on

String tempString = "New Exec Command:";

for (String temp : (String[]) param.args[0]) {

tempString = tempString + " " + temp;

}

XposedBridge.log(tempString);

}

} else {

if (debugPref) {

XposedBridge.log("Null or empty array on exec");

}

});

8.绕过ClassPath检测

XposedHelpers.findAndHookMethod("java.lang.System", lpparam.classLoader, "getenv", String.class, new XC_MethodHook() {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

String arg0 = (String)param.args[0];

if(arg0.equals("CLASSPATH")){

param.setResult("FAKE.CLASSPATH");

}

});

9.检测缓存

// 定义全局变量 modify

XposedHelpers.findAndHookMethod(Method.class, "getModifiers", new XC_MethodHook() {

@Override

protected void afterHookedMethod(MethodHookParam param) throws Throwable {

Method method = (Method)param.thisObject;

String[] array = new String[] { "getDeviceId" };

String method_name = method.getName();

if(Arrays.asList(array).contains(method_name)){

modify = 0;

}else{

modify = (int)param.getResult();

}

super.afterHookedMethod(param);

}

});

XposedHelpers.findAndHookMethod(Modifier.class, "isNative", int.class, new XC_MethodHook() {

@Override

protected void beforeHookedMethod(MethodHookParam param) throws Throwable {

param.args[0] = modify;

super.beforeHookedMethod(param);

}

});