以下的检测来源于对某APP进行逆向分析得出的情况)
1.检测栈信息
2.检测包名信息
public static boolean xp1(Context context) {
boolean scanPackage = scanPackage(context, new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5pbnN0YWxsZXI=", 2)));
MLog.b("attack", "Installed xposed:" + scanPackage);
return scanPackage;
}
解密
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5pbnN0YWxsZXI= = de.robv.android.xposed.installer
public static boolean xp2(Context context) {
StackTraceElement[] stackTrace;
context.getFilesDir();
try {
throw new Exception("凸一_一凸");
} catch (Exception e) {
MLog.a("attack", e.getMessage());
boolean z = false;
for (StackTraceElement stackTraceElement : e.getStackTrace()) {
if (stackTraceElement.getClassName().equals(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2))) && stackTraceElement.getMethodName().equals(new String(Base64.decode("bWFpbg==", 2)))) {
z = true;
}
if (stackTraceElement.getClassName().equals(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2))) && stackTraceElement.getMethodName().equals(new String(Base64.decode("aGFuZGxlSG9va2VkTWV0aG9k", 2)))) {
z = true;
}
}
MLog.b("attack", "Exception hit:" + z);
return z;
}
}
解密:
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=de.robv.android.xposed.XposedBridge
aGFuZGxlSG9va2VkTWV0aG9k = handleHookedMethod
bWFpbg==main
`
public static String xp3(Context context) {
String str;
context.getFilesDir();
try {
Field declaredField = DexAOPEntry.java_lang_ClassLoader_loadClass_proxy(ClassLoader.getSystemClassLoader(), new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRIZWxwZXJz", 2))).getDeclaredField(new String(Base64.decode("ZmllbGRDYWNoZQ==", 2)));
declaredField.setAccessible(true);
Map map = (Map) declaredField.get(null);
ArrayList arrayList = new ArrayList();
arrayList.addAll(map.keySet());
str = new JSONArray(arrayList).toString();
} catch (Exception e) {
str = null;
}
MLog.b("attack", "FieldInHook msg:" + str);
return str;
}
解密:
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRIZWxwZXJz =de.robv.android.xposed.XposedHelpers
ZmllbGRDYWNoZQ== fieldCache
public static String xp4(Context context) {
String str;
context.getFilesDir();
PackHookPlugin packHookPlugin = new PackHookPlugin(1);
try {
Field declaredField = DexAOPEntry.java_lang_ClassLoader_loadClass_proxy(ClassLoader.getSystemClassLoader(), new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2))).getDeclaredField(new String(Base64.decode("c0hvb2tlZE1ldGhvZENhbGxiYWNrcw==", 2)));
declaredField.setAccessible(true);
Map map = (Map) declaredField.get(null);
Class java_lang_ClassLoader_loadClass_proxy = DexAOPEntry.java_lang_ClassLoader_loadClass_proxy(ClassLoader.getSystemClassLoader(), new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2UkQ29weU9uV3JpdGVTb3J0ZWRTZXQ=", 2)));
Method declaredMethod = java_lang_ClassLoader_loadClass_proxy.getDeclaredMethod(new String(Base64.decode("Z2V0U25hcHNob3Q=", 2)), new Class[0]);
for (Entry entry : map.entrySet()) {
Member member = (Member) entry.getKey();
Object value = entry.getValue();
String a = ScanMethod.a(member.toString());
if (!"".equals(a) && java_lang_ClassLoader_loadClass_proxy.isInstance(value)) {
for (Object obj : (Object[]) declaredMethod.invoke(value, new Object[0])) {
String[] split = obj.getClass().getClassLoader().toString().split("\"");
if (split.length > 1) {
packHookPlugin.a(StringTool.a(split, 1), a);
}
}
}
}
JSONArray a2 = packHookPlugin.a();
JSONArray methodToNative = methodToNative();
if (a2 != null) {
if (methodToNative != null) {
for (int i = 0; i < methodToNative.length(); i++) {
a2.put(methodToNative.getJSONObject(i));
}
}
str = a2.toString();
} else {
if (methodToNative != null) {
str = methodToNative.toString();
}
str = null;
}
} catch (Exception e) {
}
MLog.b("attack", "MethodInHook msg:" + str);
return str;
}
解密:
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=de.robv.android.xposed.XposedBridge
c0hvb2tlZE1ldGhvZENhbGxiYWNrcw== sHookedMethodCallbacks
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2UkQ29weU9uV3JpdGVTb3J0ZWRTZXQ= de.robv.android.xposed.XposedBridge$CopyOnWriteSortedSet
Z2V0U25hcHNob3Q=getSnapshot
```
public static boolean xp5(Context context) {
try {
Throwable th = new Throwable();
th.setStackTrace(new StackTraceElement[]{new StackTraceElement(new String(Base64.decode("U2NhbkF0dGFjaw==", 2)), "", "", 0), new StackTraceElement(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2)), "", "", 0)});
StackTraceElement[] stackTrace = th.getStackTrace();
if (stackTrace.length != 2 || !stackTrace[1].getClassName().equals(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U=", 2)))) {
return true;
}
return false;
} catch (Exception e) {
return false;
}
}
解密:
U2NhbkF0dGFjaw== ScanAttack
ZGUucm9idi5hbmRyb2lkLnhwb3NlZC5YcG9zZWRCcmlkZ2U= de.robv.android.xposed.XposedBridge
public static boolean xp6(Context context) {
try {
StringWriter stringWriter = new StringWriter();
new Throwable().printStackTrace(new PrintWriter(stringWriter));
if (stringWriter.toString().contains(new String(Base64.decode("ZGUucm9idi5hbmRyb2lkLnhwb3NlZA==", 2)))) {
return true;
}
return false;
} catch (Exception e) {
return false;
}
}
解密:ZGUucm9idi5hbmRyb2lkLnhwb3NlZA==de.robv.android.xposed
