JNI的方式来检测AndroidServiceHook(演示检测爆破签名校验)

LivedForward

之前的帖子:https://www.52pojie.cn/thread-1015426-1-1.html
检测系统关键API是否被JDK动态代{过}{滤}理Hook,以PackageManager为例,演示了如何检测App自身是否
被爆破签名校验.

这里我使用JNI方式来实现,也就是C++来编写.


代码如下:

int isHookPMS(JNIEnv *env){
        jobject cPMSO = getCurrentPMSObject(env);
        jclass cPMSC = (*env)->GetObjectClass(env, cPMSO);
        jclass cPMSFC =(*env)->GetSuperclass(env,cPMSC);
        jclass proxyClass = (*env)->FindClass(env,"java/lang/reflect/Proxy");
       if((*env)->IsAssignableFrom(env,  cPMSFC,proxyClass)){
                //PMS被Hook
        (*env)->DeleteLocalRef(env, cPMSO);
        (*env)->DeleteLocalRef(env, cPMSC);
        (*env)->DeleteLocalRef(env, cPMSFC);
        (*env)->DeleteLocalRef(env, proxyClass);
                return 1;
        }else{
        (*env)->DeleteLocalRef(env, cPMSO);
        (*env)->DeleteLocalRef(env, cPMSC);
        (*env)->DeleteLocalRef(env, cPMSFC);
        (*env)->DeleteLocalRef(env, proxyClass);
        return 0;
        }
}


jobject getCurrentPMSObject(JNIEnv *env){
        jclass activityThreadClass = (*env)->FindClass(env,"android/app/ActivityThread");
        jmethodID currentActivityThreadMethod = (*env)->
                   GetStaticMethodID(env,activityThreadClass,"currentActivityThread","()Landroid/app/ActivityThread;");
        jobject currentActivityThread = (*env)->CallStaticObjectMethod(env,activityThreadClass,currentActivityThreadMethod);
        jfieldID sPackageManagerFieldId = (*env)->GetStaticFieldID(env,activityThreadClass,"sPackageManager","Landroid/content/pm/IPackageManager;");
        jobject sPackageManager = (*env)->GetStaticObjectField(env,currentActivityThread,sPackageManagerFieldId);
        (*env)->DeleteLocalRef(env, activityThreadClass);
        (*env)->DeleteLocalRef(env, currentActivityThreadMethod);
        (*env)->DeleteLocalRef(env, currentActivityThread);
  (*env)->DeleteLocalRef(env, sPackageManagerFieldId);
  return sPackageManager;
}

测试APP下载地址:
链接:https://pan.baidu.com/s/1q4hPBivmyns98dMwAbGBMQ 提取码:5168

九重桂妖

这是高手

wu8511128

谢谢楼主 辛苦了 ~~~~

涛之雨

华为测试成功
所以要破解要改so。。。
没有电脑，用不了ida，回合结束

破解project

帮忙格式化了一下

[C++] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

int isHookPMS(JNIEnv *env){         jobject cPMSO = getCurrentPMSObject(env);         jclass cPMSC = (*env)->GetObjectClass(env, cPMSO);         jclass cPMSFC =(*env)->GetSuperclass(env,cPMSC);         jclass proxyClass = (*env)->FindClass(env,"java/lang/reflect/Proxy");        if((*env)->IsAssignableFrom(env,  cPMSFC,proxyClass)){                 //PMS被Hook         (*env)->DeleteLocalRef(env, cPMSO);         (*env)->DeleteLocalRef(env, cPMSC);         (*env)->DeleteLocalRef(env, cPMSFC);         (*env)->DeleteLocalRef(env, proxyClass);                 return 1;         }else{         (*env)->DeleteLocalRef(env, cPMSO);         (*env)->DeleteLocalRef(env, cPMSC);         (*env)->DeleteLocalRef(env, cPMSFC);         (*env)->DeleteLocalRef(env, proxyClass);         return 0;         } }     jobject getCurrentPMSObject(JNIEnv *env){         jclass activityThreadClass = (*env)->FindClass(env,"android/app/ActivityThread");         jmethodID currentActivityThreadMethod = (*env)->                    GetStaticMethodID(env,activityThreadClass,"currentActivityThread","()Landroid/app/ActivityThread;");         jobject currentActivityThread = (*env)->CallStaticObjectMethod(env,activityThreadClass,currentActivityThreadMethod);         jfieldID sPackageManagerFieldId = (*env)->GetStaticFieldID(env,activityThreadClass,"sPackageManager","Landroid/content/pm/IPackageManager;");         jobject sPackageManager = (*env)->GetStaticObjectField(env,currentActivityThread,sPackageManagerFieldId);         (*env)->DeleteLocalRef(env, activityThreadClass);         (*env)->DeleteLocalRef(env, currentActivityThreadMethod);         (*env)->DeleteLocalRef(env, currentActivityThread);         return sPackageManager; }

ytfrdfiw

感谢分享。

青霄

JNI是否可以调用C++操作windows上面程序内存呢