版权归作者所有,如有转发,请注明文章出处:https://cyrus-studio.github.io/blog/
FART 对抗
某视频 app 的壳在启动的时候会检测 FART 特征,日志输出如下:
2025-05-29 02:16:25.612 2557-2557 ActivityThread cn.cntv E go into handleBindApplication
2025-05-29 02:16:25.630 2557-2557 cn.cntv cn.cntv I The ClassLoaderContext is a special shared library.
2025-05-29 02:16:25.807 1512-17245 ActivityManager system_process I Process cn.cntv (pid 2557) has died: fore TOP
2025-05-29 02:16:25.875 1512-1588 ActivityManager system_process I Start proc 2628:cn.cntv/u0a140 for top-activity {cn.cntv/com.cctv.mcctv.ui.activity.SplashActivity}
2025-05-29 02:16:25.932 2628-2628 ActivityThread cn.cntv E go into handleBindApplication
2025-05-29 02:16:25.945 2628-2628 cn.cntv cn.cntv I The ClassLoaderContext is a special shared library.
2025-05-29 02:16:26.113 1512-4110 ActivityManager system_process I Process cn.cntv (pid 2628) has died: fore TOP
2025-05-29 02:16:26.179 1512-1588 ActivityManager system_process I Start proc 2716:cn.cntv/u0a140 for top-activity {cn.cntv/com.cctv.mcctv.ui.activity.SplashActivity}
2025-05-29 02:16:26.233 2716-2716 ActivityThread cn.cntv E go into handleBindApplication
2025-05-29 02:16:26.245 2716-2716 cn.cntv cn.cntv I The ClassLoaderContext is a special shared library.
2025-05-29 02:16:26.291 2716-2716 cn.cntv cn.cntv W type=1400 audit(0.0:126069): avc: granted { execute } for path="/data/data/cn.cntv/files/libexec.so" dev="mmcblk0p64" ino=157243 scontext=u:r:untrusted_app:s0:c140,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c140,c256,c512,c768 tclass=file app=cn.cntv
2025-05-29 02:16:26.304 2716-2716 cn.cntv cn.cntv W type=1400 audit(0.0:126070): avc: granted { execute } for path="/data/data/cn.cntv/files/libexecmain.so" dev="mmcblk0p64" ino=157244 scontext=u:r:untrusted_app:s0:c140,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c140,c256,c512,c768 tclass=file app=cn.cntv
2025-05-29 02:16:26.324 2716-2716 cn.cntv cn.cntv W type=1400 audit(0.0:126071): avc: denied { execmod } for path="/apex/com.android.runtime/lib64/libart.so" dev="mmcblk0p61" ino=313 scontext=u:r:untrusted_app:s0:c140,c256,c512,c768 tcontext=u:object_r:system_lib_file:s0 tclass=file permissive=0 app=cn.cntv
2025-05-29 02:16:26.334 2716-2716 cn.cntv cn.cntv W type=1400 audit(0.0:126072): avc: denied { execmod } for path="/system/lib64/liblog.so" dev="mmcblk0p61" ino=3229 scontext=u:r:untrusted_app:s0:c140,c256,c512,c768 tcontext=u:object_r:system_lib_file:s0 tclass=file permissive=0 app=cn.cntv
2025-05-29 02:16:26.385 1512-17245 ActivityManager system_process I Process cn.cntv (pid 2716) has died: fore TOP
2025-05-29 02:16:26.441 1512-1588 ActivityManager system_process I Start proc 2807:cn.cntv/u0a140 for top-activity {cn.cntv/com.cctv.mcctv.ui.activity.SplashActivity}
2025-05-29 02:16:26.491 2807-2807 ActivityThread cn.cntv E go into handleBindApplication
2025-05-29 02:16:26.506 2807-2807 cn.cntv cn.cntv I The ClassLoaderContext is a special shared library.
2025-05-29 02:16:26.682 1512-17245 ActivityManager system_process I Process cn.cntv (pid 2807) has died: fore TOP
2025-05-29 02:16:26.731 1512-1588 ActivityManager system_process I Start proc 2872:cn.cntv/u0a140 for top-activity {cn.cntv/com.cctv.mcctv.ui.activity.SplashActivity}
2025-05-29 02:16:26.783 2872-2872 ActivityThread cn.cntv E go into handleBindApplication
使用的是 ajm 的壳,App 加载 so 文件,主动检测 FART 特征
avc: granted { execute } for path="/data/data/cn.cntv/files/libexec.so"
avc: granted { execute } for path="/data/data/cn.cntv/files/libexecmain.so"
一旦发现异常就触发崩溃(kill)
Process cn.cntv (pid 2628) has died: fore TOP
如何实现类似的功能?
-
首先找到 FART 的特征
-
FART 特征检测识别
-
识别到 FART 特征 kill 进程,没有识别到正常进入 app
FART特征
FART 有什么特征?通过查看 FART 源码可以找到。
FART 开源地址:https://github.com/CYRUS-STUDIO/FART
关于 FART 的详细介绍参考下面的文章:
最低0.47元/天 解锁文章
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
