JNI的方式来检测AndroidServiceHook(演示检测爆破签名校验)
本帖最后由 LivedForward 于 2019-9-21 21:10 编辑之前的帖子:https://www.52pojie.cn/thread-1015426-1-1.html
检测系统关键API是否被JDK动态代{过}{滤}理Hook,以PackageManager为例,演示了如何检测App自身是否
被爆破签名校验.
这里我使用JNI方式来实现,也就是C++来编写.
代码如下:
int isHookPMS(JNIEnv *env){
jobject cPMSO = getCurrentPMSObject(env);
jclass cPMSC = (*env)->GetObjectClass(env, cPMSO);
jclass cPMSFC =(*env)->GetSuperclass(env,cPMSC);
jclass proxyClass = (*env)->FindClass(env,"java/lang/reflect/Proxy");
if((*env)->IsAssignableFrom(env,cPMSFC,proxyClass)){
//PMS被Hook
(*env)->DeleteLocalRef(env, cPMSO);
(*env)->DeleteLocalRef(env, cPMSC);
(*env)->DeleteLocalRef(env, cPMSFC);
(*env)->DeleteLocalRef(env, proxyClass);
return 1;
}else{
(*env)->DeleteLocalRef(env, cPMSO);
(*env)->DeleteLocalRef(env, cPMSC);
(*env)->DeleteLocalRef(env, cPMSFC);
(*env)->DeleteLocalRef(env, proxyClass);
return 0;
}
}
jobject getCurrentPMSObject(JNIEnv *env){
jclass activityThreadClass = (*env)->FindClass(env,"android/app/ActivityThread");
jmethodID currentActivityThreadMethod = (*env)->
GetStaticMethodID(env,activityThreadClass,"currentActivityThread","()Landroid/app/ActivityThread;");
jobject currentActivityThread = (*env)->CallStaticObjectMethod(env,activityThreadClass,currentActivityThreadMethod);
jfieldID sPackageManagerFieldId = (*env)->GetStaticFieldID(env,activityThreadClass,"sPackageManager","Landroid/content/pm/IPackageManager;");
jobject sPackageManager = (*env)->GetStaticObjectField(env,currentActivityThread,sPackageManagerFieldId);
(*env)->DeleteLocalRef(env, activityThreadClass);
(*env)->DeleteLocalRef(env, currentActivityThreadMethod);
(*env)->DeleteLocalRef(env, currentActivityThread);
(*env)->DeleteLocalRef(env, sPackageManagerFieldId);
return sPackageManager;
}
测试APP下载地址:
链接:https://pan.baidu.com/s/1q4hPBivmyns98dMwAbGBMQ 提取码:5168 这是高手
谢谢楼主 辛苦了 ~~~~ 华为测试成功{:17_1068:}
所以要破解要改so。。。
没有电脑,用不了ida,回合结束 帮忙格式化了一下
int isHookPMS(JNIEnv *env){
jobject cPMSO = getCurrentPMSObject(env);
jclass cPMSC = (*env)->GetObjectClass(env, cPMSO);
jclass cPMSFC =(*env)->GetSuperclass(env,cPMSC);
jclass proxyClass = (*env)->FindClass(env,"java/lang/reflect/Proxy");
if((*env)->IsAssignableFrom(env,cPMSFC,proxyClass)){
//PMS被Hook
(*env)->DeleteLocalRef(env, cPMSO);
(*env)->DeleteLocalRef(env, cPMSC);
(*env)->DeleteLocalRef(env, cPMSFC);
(*env)->DeleteLocalRef(env, proxyClass);
return 1;
}else{
(*env)->DeleteLocalRef(env, cPMSO);
(*env)->DeleteLocalRef(env, cPMSC);
(*env)->DeleteLocalRef(env, cPMSFC);
(*env)->DeleteLocalRef(env, proxyClass);
return 0;
}
}
jobject getCurrentPMSObject(JNIEnv *env){
jclass activityThreadClass = (*env)->FindClass(env,"android/app/ActivityThread");
jmethodID currentActivityThreadMethod = (*env)->
GetStaticMethodID(env,activityThreadClass,"currentActivityThread","()Landroid/app/ActivityThread;");
jobject currentActivityThread = (*env)->CallStaticObjectMethod(env,activityThreadClass,currentActivityThreadMethod);
jfieldID sPackageManagerFieldId = (*env)->GetStaticFieldID(env,activityThreadClass,"sPackageManager","Landroid/content/pm/IPackageManager;");
jobject sPackageManager = (*env)->GetStaticObjectField(env,currentActivityThread,sPackageManagerFieldId);
(*env)->DeleteLocalRef(env, activityThreadClass);
(*env)->DeleteLocalRef(env, currentActivityThreadMethod);
(*env)->DeleteLocalRef(env, currentActivityThread);
return sPackageManager;
} 感谢分享。 JNI是否可以调用C++操作windows上面程序内存呢
页:
[1]