Frida反调试检测与绕过技术详解<\/h1>

一、问题现象分析<\/h2>
当使用Frida进行动态分析时，可能会遇到以下特殊现象：<\/p>
使用frida spawn<\/code>或attach<\/code>应用时，Frida进程被终止（提示"process terminated"）<\/li>
但spawn出来的APP进程仍然正常运行<\/li>
<\/ul>
这表明目标应用具有反调试防护机制，能够检测并终止附加的Frida进程。<\/p>
二、反调试检测机制原理<\/h2>
1. 检测代码存放位置<\/h3>
反调试代码通常存放在so动态库中，原因如下：<\/p>

相比放在Java层代码更难以被Frida hook<\/li>
不容易被反编译分析<\/li>
需要重新签名才能篡改<\/li>
执行效率高，不影响应用性能<\/li>
<\/ul>
2. 动态库加载检测技术<\/h3>
应用通过以下系统函数加载动态库：<\/p>

android_dlopen_ext()<\/code><\/li>
dlopen()<\/code><\/li>
do_dlopen()<\/code><\/li>
find_library()<\/code><\/li>
<\/ul>
这些函数都是System.loadLibrary()<\/code>的底层实现。<\/p>
三、检测定位技术<\/h2>
1. 动态库加载监控<\/h3>
通过hook动态库加载函数，可以定位检测代码所在的so文件：<\/p>
function<\/span> hook_dlopen<\/span>() {
<\/span><\/span>    Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "android_dlopen_ext"<\/span>), {
<\/span><\/span>        onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>            var<\/span> pathptr<\/span> =<\/span> args<\/span>[0<\/span>];
<\/span><\/span>            if<\/span> (pathptr<\/span> !==<\/span> undefined<\/span> &&<\/span> pathptr<\/span> !=<\/span> null<\/span>) {
<\/span><\/span>                var<\/span> path<\/span> =<\/span> ptr<\/span>(pathptr<\/span>).readCString<\/span>();
<\/span><\/span>                console<\/span>.log<\/span>("load "<\/span> +<\/span> path<\/span>);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    });
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 检测库定位<\/h3>
当Frida执行到特定so文件（如libllvm1624362448.so<\/code>）时发生闪退，可以确定检测代码位于该库中。<\/p>
四、绕过反调试的四种方法<\/h2>
方法1：阻止检测库加载<\/h3>
hook加载函数，将目标so的路径参数置空：<\/p>
Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "dlopen"<\/span>), {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        var<\/span> path<\/span> =<\/span> args<\/span>[0<\/span>].readCString<\/span>();
<\/span><\/span>        if<\/span> (path<\/span>.indexOf<\/span>(targetSo<\/span>) !==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>(`Attempt to dlopen <\/span>${<\/span>targetSo<\/span>}<\/span> blocked`<\/span>);
<\/span><\/span>            args<\/span>[0<\/span>] =<\/span> ptr<\/span>(0<\/span>); \/\/ 将路径设为NULL
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>方法2：重定向到无害库<\/h3>
修改加载路径，指向一个无害的假库：<\/p>
var<\/span> fake_so<\/span> =<\/span> Memory<\/span>.allocUtf8String<\/span>("\/path\/to\/fake_libnllvm1624362448.so"<\/span>);
<\/span><\/span>Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "dlopen"<\/span>), {
<\/span><\/span>    onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>        var<\/span> path<\/span> =<\/span> args<\/span>[0<\/span>].readCString<\/span>();
<\/span><\/span>        if<\/span> (path<\/span>.indexOf<\/span>(targetSo<\/span>) !==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>            console<\/span>.log<\/span>(`Redirecting <\/span>${<\/span>targetSo<\/span>}<\/span> to fake library`<\/span>);
<\/span><\/span>            args<\/span>[0<\/span>] =<\/span> fake_so<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>
注意<\/strong>：假库需要包含所有必要的导出函数，但这些函数不执行实际检测操作。<\/p>
<\/blockquote>
方法3：静态修改so文件<\/h3>
直接修改目标so文件：<\/p>

反编译定位检测代码<\/li>
修改或删除检测逻辑<\/li>
重新打包so文件<\/li>
<\/ol>
方法4：动态内存补丁<\/h3>
在内存中修改检测函数逻辑：<\/p>
\/\/ 修改内存保护属性
<\/span><\/span><\/span><\/span>Memory<\/span>.protect<\/span>(targetAddress<\/span>, size<\/span>, 'rwx'<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 找到目标函数地址
<\/span><\/span><\/span><\/span>var<\/span> targetFunction<\/span> =<\/span> Module<\/span>.findExportByName<\/span>("libtarget.so"<\/span>, "function_name"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 修改函数开头为ret指令(ARM64)
<\/span><\/span><\/span><\/span>Memory<\/span>.writeByteArray<\/span>(targetFunction<\/span>, [0xC0<\/span>, 0x03<\/span>, 0x5F<\/span>, 0xD6<\/span>]);
<\/span><\/span>
<\/span><\/span>\/\/ 或者修改关键数据
<\/span><\/span><\/span><\/span>Memory<\/span>.writeInt<\/span>(targetAddress<\/span>, newValue<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 刷新缓存
<\/span><\/span><\/span><\/span>Memory<\/span>.patchCode<\/span>(targetFunction<\/span>, 4<\/span>, function<\/span>(code<\/span>) {
<\/span><\/span>    Memory<\/span>.writeByteArray<\/span>(code<\/span>, [0xC0<\/span>, 0x03<\/span>, 0x5F<\/span>, 0xD6<\/span>]);
<\/span><\/span>});
<\/span><\/span>
<\/span><\/span>\/\/ 恢复内存保护
<\/span><\/span><\/span><\/span>Memory<\/span>.protect<\/span>(targetAddress<\/span>, size<\/span>, 'r-x'<\/span>);
<\/span><\/span><\/code><\/pre>五、完整绕过示例<\/h2>
以下是成功绕过检测的完整Frida脚本：<\/p>
var<\/span> targetSo<\/span> =<\/span> "libnllvm1624362448.so"<\/span>;
<\/span><\/span>
<\/span><\/span>function<\/span> blockLibrary<\/span>(functionName<\/span>) {
<\/span><\/span>    var<\/span> func<\/span> =<\/span> Module<\/span>.findExportByName<\/span>(null<\/span>, functionName<\/span>);
<\/span><\/span>    if<\/span> (func<\/span>) {
<\/span><\/span>        Interceptor<\/span>.attach<\/span>(ptr<\/span>(func<\/span>), {
<\/span><\/span>            onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>                var<\/span> path<\/span> =<\/span> args<\/span>[0<\/span>].readCString<\/span>();
<\/span><\/span>                if<\/span> (path<\/span>.indexOf<\/span>(targetSo<\/span>) !==<\/span> -<\/span>1<\/span>) {
<\/span><\/span>                    console<\/span>.log<\/span>(`Blocked <\/span>${<\/span>targetSo<\/span>}<\/span> in <\/span>${<\/span>functionName<\/span>}<\/span>`<\/span>);
<\/span><\/span>                    args<\/span>[0<\/span>] =<\/span> ptr<\/span>(0<\/span>); \/\/ 将路径参数设为NULL
<\/span><\/span><\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        });
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 拦截所有可能的动态库加载函数
<\/span><\/span><\/span><\/span>blockLibrary<\/span>("open"<\/span>);
<\/span><\/span>blockLibrary<\/span>("dlopen"<\/span>);
<\/span><\/span>blockLibrary<\/span>("android_dlopen_ext"<\/span>);
<\/span><\/span><\/code><\/pre>六、技术要点总结<\/h2>

检测定位<\/strong>：通过hook动态库加载函数定位检测代码位置<\/li>
绕过思路<\/strong>：

阻止检测库加载<\/li>
重定向到无害库<\/li>
静态修改so文件<\/li>
动态内存补丁<\/li>
<\/ul>
<\/li>
关键函数<\/strong>：需要拦截所有可能的动态库加载函数（open\/dlopen\/android_dlopen_ext）<\/li>
ARM指令<\/strong>：了解基本的ARM指令（如ret指令）对内存补丁很重要<\/li>
<\/ol>
这些技术可以灵活组合使用，根据目标应用的具体防护机制选择最合适的绕过方法。<\/p>
Frida反调试检测与绕过技术详解<\/h1>

二、反调试检测机制原理<\/h2>

2. 检测库定位<\/h3> 当Frida执行到特定so文件（如libllvm1624362448.so<\/code>）时发生闪退，可以确定检测代码位于该库中。<\/p>

2. 检测库定位<\/h3>
当Frida执行到特定so文件（如`libllvm1624362448.so<\/code>）时发生闪退，可以确定检测代码位于该库中。<\/p>`
