# Android root 检测和签名校验相关。
# 签名校验
当我们对
app
进行重打包操作,app
的签名将会改变,有些app
会检测是否和出厂签名一致,签名校验一般在app
启动阶段,Context 类中,下面是获取签名的代码,有可能被混淆。context.getPackageManager().getPackageInfo(context.getPackageName(),64).signatures[0].hashCode()
#
root
检测root
检测一般也在app
启动阶段,我们做开发的手机有时候可能是模拟器,或者是已经root
的手机,部分app
会检测root
的特征,禁止启动。一般检测大概是如下几种:检测系统版本是否为开发版 检测手机上是否安装了root管理器(Magisk,supersu,superuser等) 检查常用目录是否存在su 使用which命令查看是否存在su 主动申请root权限 执行busybox 访问私有目录,如/data目录,查看读写权限 读取build.prop中关键属性,如ro.build.tags和ro.build.type 检查市面主流的模拟器 检测frida、xposed等Hook框架的特征
过
root
检测的frida
脚本,来自肉丝大佬的星球:大数据安全技术学习Java.perform(function(){
const commonPaths = ["/data/local/bin/su", "/data/local/su", "/data/local/xbin/su", "/dev/com.koushikdutta.superuser.daemon/",
"/sbin/su", "/system/app/Superuser.apk", "/system/bin/failsafe/su", "/system/bin/su", "/system/etc/init.d/99SuperSUDaemon",
"/system/sd/xbin/su", "/system/xbin/busybox", "/system/xbin/daemonsu", "/system/xbin/su", "/system/sbin/su",
"/vendor/bin/s", "/su/bin/su"];
var JavaString = Java.use("java.lang.String");
JavaString.contains.implementation = function (name) {
if (name !== "test-keys") {
var ret = this.contains(name);
console.log("JavaString", name, ret);
} else {
var ret = this.contains(name);
return false
}
return ret
};
var JavaRuntime = Java.use("java.lang.Runtime");
var iOException = Java.use("java.io.IOException");
JavaRuntime.exec.overload("java.lang.String").implementation = function (command) {
if (command.endsWith("su")) {
ret = this.exec(command);
console.log("JavaRuntime", command, ret)
throw iOException.$new("Hacker");
} else {
var ret = this.exec(command);
console.log("JavaRuntime2", command, ret)
}
return ret;
}
var JavaFile = Java.use("java.io.File");
JavaFile.exists.implementation = function () {
const filename = this.getAbsolutePath();
if (commonPaths.indexOf(filename) >= 0) {
var ret = this.exists();
console.log("JavaFile", filename, ret)
return false
} else {
var ret = this.exists();
}
return ret;
}
})