apk
android9.0里的apk增加了frida检测
hook.js
直接看frida代码
function hook_java(){
Java.perform(function(){
})
}
function antiAntiFrida() {
var strstr = Module.findExportByName(null, "strstr");
if (null !== strstr) {
Interceptor.attach(strstr, {
onEnter: function (args) {
this.frida = Boolean(0);
this.haystack = args[0];
this.needle = args[1];
if (this.haystack.readCString() !== null && this.needle.readCString() !== null) {
if (this.haystack.readCString().indexOf("frida") !== -1 ||
this.needle.readCString().indexOf("frida") !== -1 ||
this.haystack.readCString().indexOf("gum-js-loop") !== -1 ||
this.needle.readCString().indexOf("gum-js-loop") !== -1 ||
this.haystack.readCString().indexOf("gmain") !== -1 ||
this.needle.readCString().indexOf("gmain") !== -1 ||
this.haystack.readCString().indexOf("linjector") !== -1 ||
this.needle.readCString().indexOf("linjector") !== -1) {
this.frida = Boolean(1);
}
}
},
onLeave: function (retval) {
if (this.frida) {
retval.replace(ptr("0x0"));
}
}
})
}
}
function hook_dlopen() {
// android 6以上 android_dlopen_ext
Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
{
onEnter: function (args) {
var pathptr = args[0];
if (pathptr !== undefined && pathptr != null) {
var path = ptr(pathptr).readCString();
console.log("load " + path);
}
}
}
);
}
function main(){
// hook_dlopen();
antiAntiFrida();
}
setImmediate(main)
// load /system/framework/oat/x86_64/org.apache.http.legacy.boot.odex
// load /data/app/com.douban.frodo-Uxv2VXqCbBnblUrBRr9kwA==/oat/x86_64/base.odex
// load /data/app/com.douban.frodo-Uxv2VXqCbBnblUrBRr9kwA==/lib/x86_64/libmsaoaidsec.so
hook_dlopen();定位到检测的so文件,然后hook strstr函数即可绕过