對抖音進行反編譯發現，其檢測注入框架1.是通過進程抓取進程中包含的包。2.是檢測堆棧中是否包含注入框架的包

所用 抖音版本 1.85

反編譯找到檢測類

搜索“xposed”關鍵字找到類com.ss.sys.ces.b.a
其包含四個字符串常量

private static String b = "XposedBridge.jar";private static String c = "de.robv.android.xposed.XposedBridge";private static String d = "com.saurik.substrate";private static String e = "com.saurik.substrate.MS$2";

傳值分析

if (a()){((JSONObject)localObject).put("xposed", 1);if (b()){((JSONObject)localObject).put("cydia", 1);if (!com.ss.sys.ces.a.f()) {break label174;}((JSONObject)localObject).put("frida", 1);((JSONObject)localObject).put("vapp", com.ss.sys.ces.a.v(paramContext.getFilesDir().getAbsolutePath(), paramContext.getPackageName()));paramContext = System.getProperty("java.vm.version");if ((paramContext == null) || (!paramContext.startsWith("2"))) {break label624;}i = 1;if (i == 0) {break label185;}((JSONObject)localObject).put("api", new JSONArray(b.a().b()));return (JSONObject)localObject;localThrowable = localThrowable;localThrowable.printStackTrace();localJSONObject1 = null;}}else{localJSONObject1.put("xposed", 0);continue;}localJSONObject1.put("cydia", 0);}

其是通過a()函數判斷是否有注入框架

//由a函數的內容分析出 需同時 a(String param)返回true 和 d()函數返回true，才會被發現public static boolean a(){return (a(b)) && (d());}

函數a(String param)
其通過FileReader("/proc/" + Process.myPid() + "/maps") 獲得所需包數據
通過循環與 看是否包含”XposedBridge.jar”，若有說明包含注入框架

private static boolean a(String paramString){try{Object localObject = new HashSet();BufferedReader localBufferedReader = new BufferedReader(new FileReader("/proc/" + Process.myPid() + "/maps"));for (;;){String str = localBufferedReader.readLine();if (str == null) {break;}if ((str.endsWith(".so")) || (str.endsWith(".jar"))) {((Set)localObject).add(str.substring(str.lastIndexOf(" ") + 1));}}localBufferedReader.close();localObject = ((Set)localObject).iterator();while (((Iterator)localObject).hasNext()){boolean bool = ((String)((Iterator)localObject).next()).contains(paramString);if (bool) {return true;}}}catch (Throwable paramString) {}return false;}

d函數通過拋出異常，來檢測異常棧,若異常棧中有”de.robv.android.xposed.XposedBridge”字符串說明注入框架使用過，從而跑出了該異常。

private static boolean d(){boolean bool2 = false;StackTraceElement[] arrayOfStackTraceElement;int j;int i;try{throw new Exception("");}catch (Exception localException){arrayOfStackTraceElement = localException.getStackTrace();j = arrayOfStackTraceElement.length;i = 0;}for (;;){boolean bool1 = bool2;if (i < j){if (arrayOfStackTraceElement[i].getClassName().equals(c)) {bool1 = true;}}else {return bool1;}i += 1;}}

總結

public static boolean a(){return (a(b)) && (d());}

因此a()函數是先判斷是否有注入框架xposed，再判斷是否使用了該框架。

總結

以上是生活随笔為你收集整理的抖音检测注入框架分析的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。