企业版加固APP绕过Frida Hook技术分析<\/h1>

1. 环境准备<\/h2>

测试设备<\/strong>: Pixel 2<\/li>
目标APP<\/strong>: 某企业版加固APP(具体名称未透露)<\/li>

工具版本<\/strong>: Frida 15.1.28<\/li> <\/ul>
2. Frida检测绕过技术<\/h2>
2.1 初步检测分析<\/h3>
发现直接使用Frida进行hook会导致APP闪退，但更改Frida端口后未检测到防护行为，表明APP可能通过以下方式检测Frida:<\/p>

检测默认Frida端口<\/li>
检测Frida相关进程<\/li>
检测内存中的Frida痕迹<\/li> <\/ul>
2.2 pthread_create hook绕过<\/h3>
通过拦截pthread_create<\/code>函数调用，分析线程创建行为，发现libexec.so<\/code>中特定偏移量的线程创建与Frida检测相关。<\/p>
关键代码实现<\/strong>:<\/p>
function<\/span> hook_pthread<\/span>() { <\/span><\/span> var<\/span> pthread_create_addr<\/span> =<\/span> Module<\/span>.findExportByName<\/span>(null<\/span>, 'pthread_create'<\/span>); <\/span><\/span> var<\/span> pthread_create<\/span> =<\/span> new<\/span> NativeFunction<\/span>(pthread_create_addr<\/span>, "int"<\/span>, ["pointer"<\/span>, "pointer"<\/span>, "pointer"<\/span>, "pointer"<\/span>]); <\/span><\/span> <\/span><\/span> Interceptor<\/span>.replace<\/span>(pthread_create_addr<\/span>, new<\/span> NativeCallback<\/span>(function<\/span> (parg0<\/span>, parg1<\/span>, parg2<\/span>, parg3<\/span>) { <\/span><\/span> var<\/span> so_name<\/span> =<\/span> Process<\/span>.findModuleByAddress<\/span>(parg2<\/span>).name<\/span>; <\/span><\/span> var<\/span> so_base<\/span> =<\/span> Module<\/span>.getBaseAddress<\/span>(so_name<\/span>); <\/span><\/span> var<\/span> offset<\/span> =<\/span> parg2<\/span> -<\/span> so_base<\/span>; <\/span><\/span> var<\/span> PC<\/span> =<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span> if<\/span> ((so_name<\/span>.indexOf<\/span>("libexec.so"<\/span>) ><\/span> -<\/span>1<\/span>)) { <\/span><\/span> console<\/span>.log<\/span>("find thread func offset"<\/span>, so_name<\/span>, offset<\/span>); <\/span><\/span> \/\/ 关键检测点绕过 <\/span><\/span><\/span><\/span> if<\/span> ((207076<\/span> ===<\/span> offset<\/span>) ||<\/span> (207308<\/span> ===<\/span> offset<\/span>) ||<\/span> (283820<\/span> ===<\/span> offset<\/span>) ||<\/span> <\/span><\/span> (286488<\/span> ===<\/span> offset<\/span>) ||<\/span> (292416<\/span> ===<\/span> offset<\/span>) ||<\/span> (78136<\/span> ===<\/span> offset<\/span>) ||<\/span> <\/span><\/span> (293768<\/span> ===<\/span> offset<\/span>)) { <\/span><\/span> console<\/span>.log<\/span>("anti bypass"<\/span>); <\/span><\/span> } else<\/span> { <\/span><\/span> PC<\/span> =<\/span> pthread_create<\/span>(parg0<\/span>, parg1<\/span>, parg2<\/span>, parg3<\/span>); <\/span><\/span> } <\/span><\/span> } else<\/span> { <\/span><\/span> PC<\/span> =<\/span> pthread_create<\/span>(parg0<\/span>, parg1<\/span>, parg2<\/span>, parg3<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> PC<\/span>; <\/span><\/span> }, "int"<\/span>, ["pointer"<\/span>, "pointer"<\/span>, "pointer"<\/span>, "pointer"<\/span>])) <\/span><\/span>} <\/span><\/span>hook_pthread<\/span>(); <\/span><\/span><\/code><\/pre>2.3 关键检测点<\/h3> 在libexec.so<\/code>中识别出以下关键偏移量，这些位置创建的线程可能与Frida检测相关:<\/p> 207076<\/li> 207308<\/li> 283820<\/li> 286488<\/li> 292416<\/li> 78136<\/li> 293768<\/li> <\/ul> 3. Java层Hook技术<\/h2> 3.1 类枚举方法<\/h3> 绕过Frida检测后，使用以下方法枚举已加载的类:<\/p> Java<\/span>.enumerateLoadedClasses<\/span>({ <\/span><\/span> onMatch<\/span>:<\/span> function<\/span>(className<\/span>) { <\/span><\/span> console<\/span>.log<\/span>("found class >> "<\/span> +<\/span> className<\/span>); <\/span><\/span> \/\/ 遍历类中所有的方法和属性 <\/span><\/span><\/span><\/span> var<\/span> jClass<\/span> =<\/span> Java<\/span>.use<\/span>(className<\/span>); <\/span><\/span> console<\/span>.log<\/span>(JSON<\/span>.stringify<\/span>({ <\/span><\/span> _name<\/span>:<\/span> className<\/span>, <\/span><\/span> _methods<\/span>:<\/span> Object.getOwnPropertyNames<\/span>(jClass<\/span>.__proto__<\/span>).filter<\/span>(function<\/span>(m<\/span>) { <\/span><\/span> return<\/span> !<\/span>m<\/span>.startsWith<\/span>('$'<\/span>) \/\/ 过滤掉Frida相关特殊属性 <\/span><\/span><\/span><\/span> ||<\/span> m<\/span> ==<\/span> 'class'<\/span> <\/span><\/span> ||<\/span> m<\/span> ==<\/span> 'constructor'<\/span> <\/span><\/span> }), <\/span><\/span> _fields<\/span>:<\/span> jClass<\/span>.class<\/span>.getFields<\/span>().map<\/span>(function<\/span>(f<\/span>) { <\/span><\/span> return<\/span> f<\/span>.toString<\/span>(); <\/span><\/span> }) <\/span><\/span> })); <\/span><\/span> }, <\/span><\/span> onComplete<\/span>:<\/span> function<\/span>() { <\/span><\/span> console<\/span>.log<\/span>("[*] class enumeration complete"<\/span>); <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>3.2 加固APP的特殊处理<\/h3> 由于APP经过加固，常规的ClassLoader无法加载所有类和方法，需要特殊处理:<\/p> 方法1: 重加载指定ClassLoader<\/h4> var<\/span> application<\/span> =<\/span> Java<\/span>.use<\/span>("android.app.Application"<\/span>); <\/span><\/span>application<\/span>.attach<\/span>.overload<\/span>('android.content.Context'<\/span>).implementation<\/span> =<\/span> function<\/span>(context<\/span>) { <\/span><\/span> var<\/span> result<\/span> =<\/span> this<\/span>.attach<\/span>(context<\/span>); <\/span><\/span> var<\/span> classloader<\/span> =<\/span> context<\/span>.getClassLoader<\/span>(); <\/span><\/span> Java<\/span>.classFactory<\/span>.loader<\/span> =<\/span> classloader<\/span>; <\/span><\/span> <\/span><\/span> var<\/span> Hook_class<\/span> =<\/span> Java<\/span>.classFactory<\/span>.use<\/span>("com.xxx.xxx"<\/span>); <\/span><\/span> console<\/span>.log<\/span>("Hook_class: "<\/span> +<\/span> Hook_class<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 正常hook代码 <\/span><\/span><\/span><\/span> Hook_class<\/span>.函数<\/span>.implementation<\/span> =<\/span> function<\/span>() { <\/span><\/span> \/\/ 有参数填参数 <\/span><\/span><\/span><\/span> } <\/span><\/span> return<\/span> result<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>方法2: 枚举并尝试所有ClassLoader(更有效)<\/h4> Java<\/span>.enumerateClassLoaders<\/span>({ <\/span><\/span> onMatch<\/span>:<\/span> function<\/span>(loader<\/span>){ <\/span><\/span> Java<\/span>.classFactory<\/span>.loader<\/span> =<\/span> loader<\/span>; <\/span><\/span> var<\/span> TryClass<\/span>; <\/span><\/span> <\/span><\/span> try<\/span> { <\/span><\/span> \/\/ 尝试加载目标类 <\/span><\/span><\/span><\/span> TryClass<\/span> =<\/span> Java<\/span>.use<\/span>("cn.xxx"<\/span>); <\/span><\/span> \/\/ Hook目标方法 <\/span><\/span><\/span><\/span> TryClass<\/span>.xx<\/span>.implementation<\/span> =<\/span> function<\/span>(p1<\/span>,p2<\/span>){ <\/span><\/span> console<\/span>.log<\/span>('p1:'<\/span>+<\/span>p1<\/span>); <\/span><\/span> console<\/span>.log<\/span>('p2:'<\/span>+<\/span>p2<\/span>); <\/span><\/span> return<\/span> this<\/span>.xx<\/span>(p1<\/span>,p2<\/span>); <\/span><\/span> } <\/span><\/span> } catch<\/span>(error<\/span>) { <\/span><\/span> if<\/span>(error<\/span>.message<\/span>.includes<\/span>("ClassNotFoundException"<\/span>)){ <\/span><\/span> console<\/span>.log<\/span>("Trying next loader"<\/span>); <\/span><\/span> } else<\/span> { <\/span><\/span> console<\/span>.log<\/span>(error<\/span>.message<\/span>); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> }, <\/span><\/span> onComplete<\/span>:<\/span> function<\/span>(){ <\/span><\/span> console<\/span>.log<\/span>("ClassLoader enumeration complete"<\/span>); <\/span><\/span> } <\/span><\/span>}); <\/span><\/span><\/code><\/pre>4. 关键要点总结<\/h2> Frida检测绕过<\/strong>:<\/p> 修改默认Frida端口<\/li> 拦截并分析pthread_create<\/code>调用<\/li> 识别并绕过特定so文件中的检测线程<\/li> <\/ul> <\/li> Java层Hook难点<\/strong>:<\/p> 加固APP使用非常规ClassLoader<\/li> 部分类和方法在内存中加密\/隐藏<\/li> 需要枚举所有ClassLoader并尝试加载目标类<\/li> <\/ul> <\/li> 成功前提<\/strong>:<\/p> 需要先对APP进行脱壳处理<\/li> 需要知道目标类和方法名称<\/li> 可能需要多次尝试不同的ClassLoader<\/li> <\/ul> <\/li> 注意事项<\/strong>:<\/p> 企业版加固通常有多层防护<\/li> 可能需要结合静态分析和动态调试<\/li> 不同版本APP的偏移量可能不同<\/li> <\/ul> <\/li> <\/ol> 5. 扩展思考<\/h2> 更高级的检测绕过<\/strong>:<\/p> 使用Frida的--no-pause<\/code>参数<\/li> 修改Frida-server的进程名<\/li> 使用内存补丁技术修改检测逻辑<\/li> <\/ul> <\/li> 加固APP分析<\/strong>:<\/p> 结合Xposed框架进行分析<\/li> 使用模拟器+内存dump工具<\/li> 动态调试脱壳过程<\/li> <\/ul> <\/li> 自动化工具开发<\/strong>:<\/p> 自动识别关键偏移量<\/li> ClassLoader自动枚举和尝试<\/li> 方法签名自动识别<\/li> <\/ul> <\/li> <\/ol> 通过以上技术，可以有效绕过企业版加固APP的Frida检测机制，并成功Hook目标方法。需要注意的是，不同厂商的加固方案可能有不同的防护策略，需要根据实际情况调整技术方案。<\/p>