绕过App企业版加固Frida检测技术分析<\/h1>

0x00 测试环境<\/h2>

设备<\/strong>: Pixel 3<\/li>
Android版本<\/strong>: 12<\/li>

面具版本<\/strong>: Magisk Delta 26.4-kitsune(26400)<\/li> <\/ul>
0x01 目标应用<\/h2>

某App最新版本(24年9月最新版本)<\/li>
使用某加密企业版加固<\/li> <\/ul>
0x02 检测机制分析<\/h2>
Root检测分析<\/h3>
App的root检测主要在Java代码层面实现，主要检测以下路径：<\/p>
\/system\/xbin\/ \/system\/bin\/ \/system\/sbin\/ \/sbin\/ \/vendor\/bin\/ \/su\/bin\/ <\/code><\/pre> 绕过方法<\/strong>：<\/p> 使用Magisk Delta版本，通过设置App访问root权限白名单<\/li> 使用Shamiko插件进行绕过<\/li> <\/ol> Frida检测分析<\/h3> Frida检测通常在Native层(so层)实现，需要定位检测进程所在的so文件。<\/p> 0x03 检测定位技术<\/h2> 1. 动态链接库加载监控<\/h3> 使用android_dlopen_ext<\/code> hook监控so加载流程：<\/p> var<\/span> dlopen_interceptor<\/span> =<\/span> hook_dlopen<\/span>(); <\/span><\/span> <\/span><\/span>function<\/span> hook_dlopen<\/span>() { <\/span><\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "android_dlopen_ext"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> this<\/span>.fileName<\/span> =<\/span> args<\/span>[0<\/span>].readCString<\/span>(); <\/span><\/span> console<\/span>.log<\/span>(`dlopen onEnter: <\/span>${<\/span>this<\/span>.fileName<\/span>}<\/span>`<\/span>); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>){ <\/span><\/span> console<\/span>.log<\/span>(`dlopen onLeave fileName: <\/span>${<\/span>this<\/span>.fileName<\/span>}<\/span>`<\/span>); <\/span><\/span> } <\/span><\/span> }); <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键发现<\/strong>：<\/p> 程序总是在加载\/lib\/arm64\/libnllvm1717052779924.so<\/code>后崩溃<\/li> 初步判断该so中实现了Frida检测进程<\/li> <\/ul> 2. 线程创建监控<\/h3> 尝试hook pthread_create<\/code>函数：<\/p> function<\/span> hook_pthred_create<\/span>(){ <\/span><\/span> var<\/span> interceptor<\/span> =<\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "pthread_create"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> var<\/span> module<\/span> =<\/span> Process<\/span>.findModuleByAddress<\/span>(ptr<\/span>(this<\/span>.returnAddress<\/span>)); <\/span><\/span> if<\/span>(module<\/span> !=<\/span> null<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("[pthread_create] called from"<\/span>, module<\/span>.name<\/span>); <\/span><\/span> } else<\/span> { <\/span><\/span> console<\/span>.log<\/span>("[pthread_create] called from"<\/span>, ptr<\/span>(this<\/span>.returnAddress<\/span>)); <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> }); <\/span><\/span>} <\/span><\/span><\/code><\/pre>问题<\/strong>：<\/p> 程序会卡死白屏或强制退出<\/li> 需要寻找替代方案<\/li> <\/ul> 3. 动态符号解析监控<\/h3> hook dlsym<\/code>函数监控符号加载：<\/p> function<\/span> hook_dlsym<\/span>() { <\/span><\/span> console<\/span>.log<\/span>("=== HOOKING dlsym ==="<\/span>); <\/span><\/span> var<\/span> interceptor<\/span> =<\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "dlsym"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> const<\/span> name<\/span> =<\/span> ptr<\/span>(args<\/span>[1<\/span>]).readCString<\/span>(); <\/span><\/span> console<\/span>.log<\/span>("[dlsym]"<\/span>, name<\/span>); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("=== EXIT ==="<\/span>); <\/span><\/span> } <\/span><\/span> }); <\/span><\/span> return<\/span> interceptor<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键发现<\/strong>：<\/p> libnllvm1717052779924.so<\/code>加载了两次pthread_create<\/code><\/li> 推测这些进程与Frida检测相关<\/li> <\/ul> 0x04 绕过技术实现<\/h2> 1. 创建虚假pthread_create函数<\/h3> function<\/span> create_fake_pthread_create<\/span>() { <\/span><\/span> const<\/span> fake_pthread_create<\/span> =<\/span> Memory<\/span>.alloc<\/span>(4096<\/span>); <\/span><\/span> Memory<\/span>.protect<\/span>(fake_pthread_create<\/span>, 4096<\/span>, "rwx"<\/span>); <\/span><\/span> Memory<\/span>.patchCode<\/span>(fake_pthread_create<\/span>, 4096<\/span>, code<\/span> => { <\/span><\/span> const<\/span> cw<\/span> =<\/span> new<\/span> Arm64Writer<\/span>(code<\/span>, { pc<\/span>:<\/span> ptr<\/span>(fake_pthread_create<\/span>) }); <\/span><\/span> cw<\/span>.putRet<\/span>(); <\/span><\/span> }); <\/span><\/span> return<\/span> fake_pthread_create<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 替换真实pthread_create<\/h3> var<\/span> fake_pthread_create<\/span> =<\/span> create_fake_pthread_create<\/span>(); <\/span><\/span> <\/span><\/span>function<\/span> hook_dlsym<\/span>() { <\/span><\/span> console<\/span>.log<\/span>("=== HOOKING dlsym ==="<\/span>); <\/span><\/span> var<\/span> interceptor<\/span> =<\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "dlsym"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> const<\/span> name<\/span> =<\/span> ptr<\/span>(args<\/span>[1<\/span>]).readCString<\/span>(); <\/span><\/span> console<\/span>.log<\/span>("[dlsym]"<\/span>, name<\/span>); <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) { <\/span><\/span> retval<\/span>.replace<\/span>(fake_pthread_create<\/span>); <\/span><\/span> console<\/span>.log<\/span>("=== EXIT ==="<\/span>); <\/span><\/span> interceptor<\/span>.detach<\/span>(); <\/span><\/span> } <\/span><\/span> }); <\/span><\/span> return<\/span> interceptor<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 综合绕过方案<\/h3> var<\/span> dlopen_interceptor<\/span> =<\/span> hook_dlopen<\/span>(); <\/span><\/span>var<\/span> fake_pthread_create<\/span> =<\/span> create_fake_pthread_create<\/span>(); <\/span><\/span> <\/span><\/span>function<\/span> hook_dlopen<\/span>() { <\/span><\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "android_dlopen_ext"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> this<\/span>.fileName<\/span> =<\/span> args<\/span>[0<\/span>].readCString<\/span>(); <\/span><\/span> console<\/span>.log<\/span>(`dlopen onEnter: <\/span>${<\/span>this<\/span>.fileName<\/span>}<\/span>`<\/span>); <\/span><\/span> if<\/span>(this<\/span>.fileName<\/span>.indexOf<\/span>("libnllvm1717052779924.so"<\/span>) >=<\/span> 0<\/span> ||<\/span> <\/span><\/span> this<\/span>.fileName<\/span>.indexOf<\/span>("libface_nllvm.so"<\/span>) >=<\/span> 0<\/span>) { <\/span><\/span> hook_dlsym<\/span>(); <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> onLeave<\/span>:<\/span> function<\/span>(retval<\/span>){ <\/span><\/span> console<\/span>.log<\/span>(`dlopen onLeave fileName: <\/span>${<\/span>this<\/span>.fileName<\/span>}<\/span>`<\/span>); <\/span><\/span> } <\/span><\/span> }); <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x05 补充分析(pthread_create)<\/h2> 1. 直接hook的问题<\/h3> 直接hook pthread_create<\/code>会导致：<\/p> 白屏<\/li> 死机<\/li> 偶尔不死机的情况<\/li> <\/ul> 2. 偏移量计算方案<\/h3> function<\/span> hook_pthread_libnllvm1717052779924<\/span>(){ <\/span><\/span> var<\/span> interceptor<\/span> =<\/span> Interceptor<\/span>.attach<\/span>(Module<\/span>.findExportByName<\/span>(null<\/span>, "pthread_create"<\/span>), { <\/span><\/span> onEnter<\/span>:<\/span> function<\/span>(args<\/span>) { <\/span><\/span> var<\/span> module<\/span> =<\/span> Process<\/span>.findModuleByAddress<\/span>(ptr<\/span>(this<\/span>.returnAddress<\/span>)); <\/span><\/span> if<\/span>(module<\/span> !=<\/span> null<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("hook_pthread_libnllvm1717052779924 "<\/span>+<\/span>Process<\/span>.findModuleByName<\/span>("libnllvm1717052779924.so"<\/span>).base<\/span>); <\/span><\/span> console<\/span>.log<\/span>("[pthread_create] called from"<\/span>, module<\/span>.name<\/span>); <\/span><\/span> let<\/span> func_addr<\/span> =<\/span> args<\/span>[2<\/span>]; <\/span><\/span> console<\/span>.log<\/span>(`The thread Called function address is: <\/span>${<\/span>func_addr<\/span>}<\/span>`<\/span>); <\/span><\/span> } else<\/span> { <\/span><\/span> console<\/span>.log<\/span>("[pthread_create] called from"<\/span>, ptr<\/span>(this<\/span>.returnAddress<\/span>)); <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> }); <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 基于偏移量的替换<\/h3> function<\/span> hook_64d10<\/span>(){ <\/span><\/span> let<\/span> secmodule<\/span> =<\/span> Process<\/span>.findModuleByName<\/span>("libnllvm1717052779924.so"<\/span>); <\/span><\/span> console<\/span>.log<\/span>("secmodule "<\/span> +<\/span> secmodule<\/span>); <\/span><\/span> Interceptor<\/span>.replace<\/span>(secmodule<\/span>.base<\/span>.add<\/span>(0x64d10<\/span>), new<\/span> NativeCallback<\/span>(function<\/span>() { <\/span><\/span> console<\/span>.log<\/span>(`hook_sub_64d10 replace`<\/span>); <\/span><\/span> }, 'void'<\/span>)); <\/span><\/span> console<\/span>.log<\/span>("替换完毕"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x06 总结<\/h2> 检测机制<\/strong>：<\/p> Root检测主要在Java层<\/li> Frida检测在Native层通过多so文件实现<\/li> <\/ul> <\/li> 绕过方案<\/strong>：<\/p> 监控so加载流程定位检测点<\/li> 创建虚假函数替换关键检测函数<\/li> 基于偏移量的精确替换方案<\/li> <\/ul> <\/li> 适用场景<\/strong>：<\/p> 企业级加固应用的Frida检测绕过<\/li> 多so文件协同检测的场景<\/li> 直接hook会导致崩溃的防护机制<\/li> <\/ul> <\/li> 扩展应用<\/strong>：<\/p> 该方法可应用于其他类似防护机制<\/li> 可扩展用于其他关键函数的替换<\/li> 适用于不同架构的so文件分析<\/li> <\/ul> <\/li> <\/ol>