- 发布于
Frida 安全研究与防护对抗:动态分析在攻防对抗中的应用
- 作者
- 姓名
- 全能波
- GitHub
- @weicracker
Frida 安全研究与防护对抗:动态分析在攻防对抗中的应用
在现代安全研究中,Frida 既是强大的分析工具,也是需要防护的攻击向量。本文将探讨 Frida 在安全研究中的应用,以及相应的检测和防护技术。
Frida 检测技术
多层检测机制
# frida_detection_system.py - Frida 检测系统
import os
import psutil
import hashlib
import time
import threading
from pathlib import Path
class FridaDetectionSystem:
def __init__(self):
self.detection_methods = []
self.is_monitoring = False
self.detection_results = []
self.callbacks = []
# 初始化检测方法
self.init_detection_methods()
def init_detection_methods(self):
"""初始化所有检测方法"""
self.detection_methods = [
self.detect_frida_processes,
self.detect_frida_files,
self.detect_frida_ports,
self.detect_frida_libraries,
self.detect_frida_memory_patterns,
self.detect_frida_environment,
self.detect_frida_behavior
]
def detect_frida_processes(self):
"""检测 Frida 相关进程"""
frida_processes = []
frida_keywords = [
'frida', 'frida-server', 'frida-agent', 'gum-js-loop',
'gmain', 'gdbus', 'frida-helper'
]
try:
for proc in psutil.process_iter(['pid', 'name', 'cmdline']):
try:
proc_info = proc.info
proc_name = proc_info['name'].lower()
cmdline = ' '.join(proc_info['cmdline'] or []).lower()
# 检查进程名
for keyword in frida_keywords:
if keyword in proc_name or keyword in cmdline:
frida_processes.append({
'pid': proc_info['pid'],
'name': proc_info['name'],
'cmdline': proc_info['cmdline'],
'detection_type': 'process_name'
})
break
# 检查可疑的端口监听
try:
connections = proc.connections()
for conn in connections:
if conn.status == 'LISTEN' and conn.laddr.port == 27042:
frida_processes.append({
'pid': proc_info['pid'],
'name': proc_info['name'],
'port': conn.laddr.port,
'detection_type': 'frida_port'
})
except:
pass
except (psutil.NoSuchProcess, psutil.AccessDenied):
continue
except Exception as e:
print(f"Process detection error: {e}")
return {
'method': 'process_detection',
'detected': len(frida_processes) > 0,
'details': frida_processes
}
def detect_frida_files(self):
"""检测 Frida 相关文件"""
frida_files = []
# 常见的 Frida 文件路径
frida_paths = [
'/data/local/tmp/frida-server',
'/data/local/tmp/frida-agent',
'/system/bin/frida-server',
'/system/xbin/frida-server',
'/vendor/bin/frida-server',
'/data/local/tmp/re.frida.server',
'/data/local/tmp/frida-inject'
]
# 检查文件是否存在
for path in frida_paths:
if os.path.exists(path):
try:
stat_info = os.stat(path)
with open(path, 'rb') as f:
file_hash = hashlib.md5(f.read()).hexdigest()
frida_files.append({
'path': path,
'size': stat_info.st_size,
'hash': file_hash,
'mtime': stat_info.st_mtime
})
except Exception as e:
frida_files.append({
'path': path,
'error': str(e)
})
# 检查临时目录中的可疑文件
temp_dirs = ['/tmp', '/data/local/tmp', '/sdcard/tmp']
for temp_dir in temp_dirs:
if os.path.exists(temp_dir):
try:
for file_path in Path(temp_dir).rglob('*'):
if file_path.is_file():
filename = file_path.name.lower()
if any(keyword in filename for keyword in ['frida', 'gum', 'gadget']):
frida_files.append({
'path': str(file_path),
'detection_type': 'suspicious_filename'
})
except Exception:
pass
return {
'method': 'file_detection',
'detected': len(frida_files) > 0,
'details': frida_files
}
def detect_frida_ports(self):
"""检测 Frida 默认端口"""
frida_ports = [27042, 27043, 27044, 27045] # Frida 常用端口
open_frida_ports = []
try:
# 检查网络连接
connections = psutil.net_connections()
for conn in connections:
if conn.status == 'LISTEN' and conn.laddr.port in frida_ports:
open_frida_ports.append({
'port': conn.laddr.port,
'address': conn.laddr.ip,
'pid': conn.pid
})
except Exception as e:
print(f"Port detection error: {e}")
return {
'method': 'port_detection',
'detected': len(open_frida_ports) > 0,
'details': open_frida_ports
}
def detect_frida_libraries(self):
"""检测 Frida 相关库文件"""
frida_libraries = []
current_pid = os.getpid()
try:
proc = psutil.Process(current_pid)
memory_maps = proc.memory_maps()
frida_lib_patterns = [
'frida', 'gum', 'gadget', 'agent', 'libfrida'
]
for mmap in memory_maps:
path = mmap.path.lower()
for pattern in frida_lib_patterns:
if pattern in path:
frida_libraries.append({
'path': mmap.path,
'size': mmap.size if hasattr(mmap, 'size') else 0,
'permissions': mmap.perms if hasattr(mmap, 'perms') else 'unknown'
})
break
except Exception as e:
print(f"Library detection error: {e}")
return {
'method': 'library_detection',
'detected': len(frida_libraries) > 0,
'details': frida_libraries
}
def detect_frida_memory_patterns(self):
"""检测内存中的 Frida 特征"""
# 这个方法在 Python 中实现有限,主要用于演示
# 实际应用中需要在目标应用内部实现
frida_signatures = [
b'frida',
b'gum-js-loop',
b'_frida_agent_main',
b'frida_agent_main',
b'GumScript'
]
detected_patterns = []
try:
# 检查当前进程的内存映射
current_pid = os.getpid()
proc = psutil.Process(current_pid)
# 这里只是示例,实际内存扫描需要更底层的实现
for mmap in proc.memory_maps():
if 'heap' in mmap.path.lower() or 'stack' in mmap.path.lower():
detected_patterns.append({
'type': 'memory_region',
'path': mmap.path,
'note': 'Requires deeper memory analysis'
})
break # 只检查一个示例
except Exception as e:
print(f"Memory pattern detection error: {e}")
return {
'method': 'memory_pattern_detection',
'detected': len(detected_patterns) > 0,
'details': detected_patterns
}
def detect_frida_environment(self):
"""检测 Frida 环境变量和系统特征"""
frida_indicators = []
# 检查环境变量
frida_env_vars = [
'FRIDA_AGENT_PATH',
'FRIDA_GADGET_PATH',
'FRIDA_SERVER_PATH'
]
for env_var in frida_env_vars:
if env_var in os.environ:
frida_indicators.append({
'type': 'environment_variable',
'name': env_var,
'value': os.environ[env_var]
})
# 检查系统属性(Android 特有)
try:
# 模拟检查系统属性
suspicious_props = [
'ro.debuggable',
'ro.secure',
'service.adb.root'
]
for prop in suspicious_props:
# 在实际 Android 环境中,这里会调用 getprop
frida_indicators.append({
'type': 'system_property',
'name': prop,
'note': 'Requires Android environment to check'
})
except Exception as e:
print(f"Environment detection error: {e}")
return {
'method': 'environment_detection',
'detected': len(frida_indicators) > 0,
'details': frida_indicators
}
def detect_frida_behavior(self):
"""检测 Frida 行为特征"""
behavioral_indicators = []
try:
# 检查可疑的网络活动
connections = psutil.net_connections()
for conn in connections:
# 检查到 Frida 服务器的连接
if (conn.raddr and
conn.raddr.port in [27042, 27043, 27044, 27045]):
behavioral_indicators.append({
'type': 'network_connection',
'remote_port': conn.raddr.port,
'local_port': conn.laddr.port,
'status': conn.status
})
# 检查异常的系统调用模式
# 这里只是示例,实际需要更复杂的行为分析
current_proc = psutil.Process()
cpu_percent = current_proc.cpu_percent(interval=1)
if cpu_percent > 50: # 高 CPU 使用率可能表示调试活动
behavioral_indicators.append({
'type': 'high_cpu_usage',
'cpu_percent': cpu_percent,
'note': 'May indicate debugging activity'
})
except Exception as e:
print(f"Behavior detection error: {e}")
return {
'method': 'behavior_detection',
'detected': len(behavioral_indicators) > 0,
'details': behavioral_indicators
}
def run_detection(self):
"""运行所有检测方法"""
results = []
print("[FridaDetection] Starting comprehensive Frida detection...")
for method in self.detection_methods:
try:
result = method()
results.append(result)
if result['detected']:
print(f"[DETECTED] {result['method']}: {len(result['details'])} indicators found")
else:
print(f"[CLEAN] {result['method']}: No indicators found")
except Exception as e:
print(f"[ERROR] {method.__name__}: {e}")
results.append({
'method': method.__name__,
'detected': False,
'error': str(e)
})
return results
def start_continuous_monitoring(self, interval=30):
"""启动连续监控"""
if self.is_monitoring:
print("[FridaDetection] Already monitoring")
return
self.is_monitoring = True
def monitor_loop():
while self.is_monitoring:
results = self.run_detection()
# 检查是否有新的检测结果
detected_methods = [r['method'] for r in results if r['detected']]
if detected_methods:
self.trigger_callbacks(results)
time.sleep(interval)
self.monitor_thread = threading.Thread(target=monitor_loop, daemon=True)
self.monitor_thread.start()
print(f"[FridaDetection] Started continuous monitoring (interval: {interval}s)")
def stop_monitoring(self):
"""停止监控"""
self.is_monitoring = False
print("[FridaDetection] Stopped monitoring")
def add_detection_callback(self, callback):
"""添加检测回调"""
self.callbacks.append(callback)
def trigger_callbacks(self, results):
"""触发检测回调"""
for callback in self.callbacks:
try:
callback(results)
except Exception as e:
print(f"Callback error: {e}")
def generate_report(self, results):
"""生成检测报告"""
report = {
'timestamp': time.time(),
'total_methods': len(results),
'detected_methods': len([r for r in results if r['detected']]),
'detection_rate': 0,
'results': results
}
if report['total_methods'] > 0:
report['detection_rate'] = report['detected_methods'] / report['total_methods']
return report
# Android 应用内检测脚本
def get_android_detection_script():
"""获取 Android 应用内的 Frida 检测脚本"""
return """
Java.perform(function() {
console.log("[AntiDebug] Starting Frida detection in Android app");
// 1. 检测 Frida 类和方法
detectFridaClasses();
// 2. 检测异常的 ClassLoader
detectAbnormalClassLoader();
// 3. 检测 Hook 痕迹
detectHookTraces();
// 4. 检测调试器
detectDebugger();
// 5. 检测模拟器环境
detectEmulator();
});
function detectFridaClasses() {
try {
// 尝试加载 Frida 相关类
var fridaClasses = [
"re.frida.Gadget",
"com.android.internal.os.ZygoteInit",
"de.robv.android.xposed.XposedBridge"
];
fridaClasses.forEach(function(className) {
try {
Java.use(className);
send({
type: 'detection',
method: 'frida_class_detection',
detected: true,
details: 'Found Frida class: ' + className
});
} catch (e) {
// 类不存在,正常情况
}
});
// 检查当前 ClassLoader
var currentClassLoader = Java.vm.tryGetEnv().getClassLoader();
var classLoaderName = currentClassLoader.getClass().getName();
if (classLoaderName.indexOf("frida") !== -1 ||
classLoaderName.indexOf("gadget") !== -1) {
send({
type: 'detection',
method: 'classloader_detection',
detected: true,
details: 'Suspicious ClassLoader: ' + classLoaderName
});
}
} catch (e) {
console.log("[-] Frida class detection error: " + e);
}
}
function detectAbnormalClassLoader() {
try {
var Thread = Java.use("java.lang.Thread");
var currentThread = Thread.currentThread();
var contextClassLoader = currentThread.getContextClassLoader();
if (contextClassLoader) {
var loaderClass = contextClassLoader.getClass().getName();
// 检查可疑的 ClassLoader
var suspiciousLoaders = [
"dalvik.system.InMemoryDexClassLoader",
"dalvik.system.BaseDexClassLoader"
];
suspiciousLoaders.forEach(function(suspiciousLoader) {
if (loaderClass.indexOf(suspiciousLoader) !== -1) {
send({
type: 'detection',
method: 'abnormal_classloader',
detected: true,
details: 'Found suspicious ClassLoader: ' + loaderClass
});
}
});
}
} catch (e) {
console.log("[-] ClassLoader detection error: " + e);
}
}
function detectHookTraces() {
try {
// 检查方法是否被 Hook
var String = Java.use("java.lang.String");
var originalEquals = String.equals;
// 尝试检测方法是否被修改
if (originalEquals.implementation !== originalEquals) {
send({
type: 'detection',
method: 'hook_trace_detection',
detected: true,
details: 'String.equals method appears to be hooked'
});
}
// 检查堆栈跟踪中的 Frida 痕迹
try {
throw new Error("Stack trace check");
} catch (e) {
var stackTrace = e.stack;
if (stackTrace.indexOf("frida") !== -1 ||
stackTrace.indexOf("gum") !== -1) {
send({
type: 'detection',
method: 'stack_trace_detection',
detected: true,
details: 'Frida traces found in stack trace'
});
}
}
} catch (e) {
console.log("[-] Hook trace detection error: " + e);
}
}
function detectDebugger() {
try {
var Debug = Java.use("android.os.Debug");
// 检查调试器连接
var isDebuggerConnected = Debug.isDebuggerConnected();
if (isDebuggerConnected) {
send({
type: 'detection',
method: 'debugger_detection',
detected: true,
details: 'Debugger is connected'
});
}
// 检查等待调试器
var waitingForDebugger = Debug.waitingForDebugger();
if (waitingForDebugger) {
send({
type: 'detection',
method: 'debugger_detection',
detected: true,
details: 'Waiting for debugger'
});
}
} catch (e) {
console.log("[-] Debugger detection error: " + e);
}
}
function detectEmulator() {
try {
var Build = Java.use("android.os.Build");
// 检查模拟器特征
var emulatorIndicators = [
{ field: "BOARD", patterns: ["goldfish", "ranchu", "sdk"] },
{ field: "BOOTLOADER", patterns: ["unknown"] },
{ field: "BRAND", patterns: ["generic", "google"] },
{ field: "DEVICE", patterns: ["generic", "goldfish", "ranchu"] },
{ field: "HARDWARE", patterns: ["goldfish", "ranchu"] },
{ field: "MODEL", patterns: ["sdk", "emulator", "Android SDK"] },
{ field: "PRODUCT", patterns: ["sdk", "google_sdk", "sdk_google"] }
];
emulatorIndicators.forEach(function(indicator) {
try {
var fieldValue = Build[indicator.field].value.toLowerCase();
indicator.patterns.forEach(function(pattern) {
if (fieldValue.indexOf(pattern) !== -1) {
send({
type: 'detection',
method: 'emulator_detection',
detected: true,
details: 'Emulator indicator: ' + indicator.field + ' = ' + fieldValue
});
}
});
} catch (e) {
// 字段不存在或无法访问
}
});
} catch (e) {
console.log("[-] Emulator detection error: " + e);
}
}
"""
# 使用示例
def main():
# 创建检测系统
detector = FridaDetectionSystem()
# 添加检测回调
def on_frida_detected(results):
print("\n[ALERT] Frida detected!")
for result in results:
if result['detected']:
print(f"Method: {result['method']}")
print(f"Details: {result['details']}")
detector.add_detection_callback(on_frida_detected)
# 运行一次性检测
print("Running one-time detection...")
results = detector.run_detection()
# 生成报告
report = detector.generate_report(results)
print(f"\nDetection Report:")
print(f"Detection Rate: {report['detection_rate']:.2%}")
print(f"Methods Detected: {report['detected_methods']}/{report['total_methods']}")
# 启动连续监控
print("\nStarting continuous monitoring...")
detector.start_continuous_monitoring(interval=10)
try:
# 保持监控运行
time.sleep(60)
except KeyboardInterrupt:
print("\nStopping monitoring...")
finally:
detector.stop_monitoring()
if __name__ == "__main__":
main()
反 Frida 技术
应用层防护
// anti_frida_protection.js - 反 Frida 防护脚本
Java.perform(function() {
console.log("[AntiDebug] Loading anti-Frida protection");
// 1. 实现多层检测
implementMultiLayerDetection();
// 2. 代码混淆和反调试
implementCodeObfuscation();
// 3. 完整性检查
implementIntegrityChecks();
// 4. 环境检测
implementEnvironmentChecks();
// 5. 动态防护
implementDynamicProtection();
});
function implementMultiLayerDetection() {
try {
// 检测 1: 检查异常的类加载器
checkAbnormalClassLoaders();
// 检测 2: 检查方法 Hook 痕迹
checkMethodHookTraces();
// 检测 3: 检查内存中的 Frida 特征
checkMemorySignatures();
// 检测 4: 检查网络连接
checkNetworkConnections();
// 检测 5: 检查文件系统
checkFileSystem();
} catch (e) {
console.log("[-] Multi-layer detection error: " + e);
}
}
function checkAbnormalClassLoaders() {
try {
var Thread = Java.use("java.lang.Thread");
var ClassLoader = Java.use("java.lang.ClassLoader");
// 检查当前线程的 ClassLoader
var currentThread = Thread.currentThread();
var contextClassLoader = currentThread.getContextClassLoader();
if (contextClassLoader) {
var loaderClassName = contextClassLoader.getClass().getName();
// 检查可疑的 ClassLoader 类型
var suspiciousLoaders = [
"dalvik.system.InMemoryDexClassLoader",
"java.net.URLClassLoader",
"dalvik.system.DexClassLoader"
];
if (suspiciousLoaders.some(loader => loaderClassName.includes(loader))) {
triggerAntiDebugResponse("Suspicious ClassLoader detected: " + loaderClassName);
}
}
// Hook ClassLoader.loadClass 来检测动态加载
ClassLoader.loadClass.overload('java.lang.String').implementation = function(name) {
if (name.includes("frida") || name.includes("gum") || name.includes("gadget")) {
triggerAntiDebugResponse("Attempt to load Frida class: " + name);
throw new Error("Class loading blocked");
}
return this.loadClass(name);
};
} catch (e) {
console.log("[-] ClassLoader check error: " + e);
}
}
function checkMethodHookTraces() {
try {
// 创建一个测试方法来检查是否被 Hook
var TestClass = Java.registerClass({
name: 'com.antifrida.TestClass',
methods: {
testMethod: {
returnType: 'java.lang.String',
argumentTypes: [],
implementation: function() {
return "original_result";
}
}
}
});
var testInstance = TestClass.$new();
// 定期检查方法是否返回预期结果
setInterval(function() {
var result = testInstance.testMethod();
if (result !== "original_result") {
triggerAntiDebugResponse("Test method hook detected");
}
}, 5000);
// 检查关键系统方法
checkSystemMethodIntegrity();
} catch (e) {
console.log("[-] Method hook trace check error: " + e);
}
}
function checkSystemMethodIntegrity() {
try {
var String = Java.use("java.lang.String");
var originalEquals = String.equals;
// 创建一个已知的测试
var testString1 = String.$new("test");
var testString2 = String.$new("test");
// 检查 equals 方法是否正常工作
if (!testString1.equals(testString2)) {
triggerAntiDebugResponse("String.equals method compromised");
}
// 检查方法是否被替换
setTimeout(function() {
if (String.equals !== originalEquals) {
triggerAntiDebugResponse("String.equals method replaced");
}
}, 1000);
} catch (e) {
console.log("[-] System method integrity check error: " + e);
}
}
function checkMemorySignatures() {
try {
// 检查内存中的 Frida 特征字符串
var Runtime = Java.use("java.lang.Runtime");
var runtime = Runtime.getRuntime();
// 尝试检测内存中的 Frida 相关字符串
// 这需要更底层的实现,这里只是示例
// 检查系统属性
var System = Java.use("java.lang.System");
var suspiciousProps = [
"frida.version",
"frida.agent",
"ro.debuggable"
];
suspiciousProps.forEach(function(prop) {
var value = System.getProperty(prop);
if (value !== null) {
triggerAntiDebugResponse("Suspicious system property: " + prop + " = " + value);
}
});
} catch (e) {
console.log("[-] Memory signature check error: " + e);
}
}
function checkNetworkConnections() {
try {
// 检查是否有到 Frida 默认端口的连接
var Socket = Java.use("java.net.Socket");
// Hook Socket 构造函数来检测连接
Socket.$init.overload('java.lang.String', 'int').implementation = function(host, port) {
var fridaPorts = [27042, 27043, 27044, 27045];
if (fridaPorts.includes(port)) {
triggerAntiDebugResponse("Attempt to connect to Frida port: " + port);
throw new Error("Connection blocked");
}
this.$init(host, port);
};
} catch (e) {
console.log("[-] Network connection check error: " + e);
}
}
function checkFileSystem() {
try {
var File = Java.use("java.io.File");
// Hook File 构造函数来检测 Frida 文件访问
File.$init.overload('java.lang.String').implementation = function(pathname) {
var fridaPaths = [
"/data/local/tmp/frida-server",
"/data/local/tmp/frida-agent",
"/system/bin/frida-server"
];
if (fridaPaths.some(path => pathname.includes(path))) {
triggerAntiDebugResponse("Attempt to access Frida file: " + pathname);
throw new Error("File access blocked");
}
this.$init(pathname);
};
} catch (e) {
console.log("[-] File system check error: " + e);
}
}
function implementCodeObfuscation() {
try {
// 1. 字符串混淆
obfuscateStrings();
// 2. 控制流混淆
obfuscateControlFlow();
// 3. 反射调用混淆
obfuscateReflectionCalls();
} catch (e) {
console.log("[-] Code obfuscation error: " + e);
}
}
function obfuscateStrings() {
// 字符串解密函数
function decryptString(encrypted) {
// 简单的 XOR 解密示例
var key = 0xAA;
var decrypted = "";
for (var i = 0; i < encrypted.length; i++) {
decrypted += String.fromCharCode(encrypted.charCodeAt(i) ^ key);
}
return decrypted;
}
// 使用加密字符串
var encryptedFrida = "\u00c7\u00d8\u00c3\u00c4\u00c5"; // "frida" XOR 0xAA
var fridaString = decryptString(encryptedFrida);
// 检查是否包含 Frida 字符串
if (fridaString === "frida") {
// 执行检测逻辑
}
}
function obfuscateControlFlow() {
// 使用复杂的控制流来隐藏检测逻辑
var checksum = 0;
var steps = [1, 3, 7, 2, 5];
for (var i = 0; i < steps.length; i++) {
checksum += steps[i];
if (checksum === 18) {
// 隐藏的检测逻辑
performHiddenDetection();
}
}
}
function obfuscateReflectionCalls() {
try {
// 使用反射来隐藏方法调用
var Class = Java.use("java.lang.Class");
var Method = Java.use("java.lang.reflect.Method");
// 动态获取类和方法
var debugClass = Class.forName("android.os.Debug");
var isDebuggerConnectedMethod = debugClass.getMethod("isDebuggerConnected");
var isConnected = isDebuggerConnectedMethod.invoke(null);
if (isConnected) {
triggerAntiDebugResponse("Debugger detected via reflection");
}
} catch (e) {
console.log("[-] Reflection obfuscation error: " + e);
}
}
function implementIntegrityChecks() {
try {
// 1. 代码完整性检查
checkCodeIntegrity();
// 2. 签名验证
verifySignature();
// 3. 校验和检查
performChecksumValidation();
} catch (e) {
console.log("[-] Integrity check error: " + e);
}
}
function checkCodeIntegrity() {
try {
// 检查关键方法的字节码
var targetMethod = Java.use("com.example.app.MainActivity").onCreate;
// 计算方法的简单校验和(示例)
var methodString = targetMethod.toString();
var checksum = 0;
for (var i = 0; i < methodString.length; i++) {
checksum += methodString.charCodeAt(i);
}
// 与预期校验和比较
var expectedChecksum = 12345; // 预先计算的值
if (checksum !== expectedChecksum) {
triggerAntiDebugResponse("Code integrity check failed");
}
} catch (e) {
console.log("[-] Code integrity check error: " + e);
}
}
function verifySignature() {
try {
var Context = Java.use("android.content.Context");
var PackageManager = Java.use("android.content.pm.PackageManager");
// 获取应用上下文
var currentApplication = Java.use("android.app.ActivityThread")
.currentApplication();
if (currentApplication) {
var packageManager = currentApplication.getPackageManager();
var packageName = currentApplication.getPackageName();
// 获取签名信息
var packageInfo = packageManager.getPackageInfo(
packageName,
PackageManager.GET_SIGNATURES.value
);
var signatures = packageInfo.signatures;
if (signatures && signatures.length > 0) {
var signature = signatures[0];
var signatureBytes = signature.toByteArray();
// 计算签名哈希
var MessageDigest = Java.use("java.security.MessageDigest");
var md = MessageDigest.getInstance("SHA-256");
var hash = md.digest(signatureBytes);
// 与预期哈希比较
var expectedHash = "expected_signature_hash";
var actualHash = bytesToHex(hash);
if (actualHash !== expectedHash) {
triggerAntiDebugResponse("Signature verification failed");
}
}
}
} catch (e) {
console.log("[-] Signature verification error: " + e);
}
}
function performChecksumValidation() {
// 定期验证关键数据的校验和
setInterval(function() {
try {
// 验证关键配置数据
var configData = "critical_config_data";
var checksum = calculateChecksum(configData);
var expectedChecksum = 54321;
if (checksum !== expectedChecksum) {
triggerAntiDebugResponse("Configuration checksum mismatch");
}
} catch (e) {
console.log("[-] Checksum validation error: " + e);
}
}, 10000);
}
function implementEnvironmentChecks() {
try {
// 1. 检查运行环境
checkRunningEnvironment();
// 2. 检查调试状态
checkDebuggingState();
// 3. 检查模拟器
checkEmulatorEnvironment();
} catch (e) {
console.log("[-] Environment check error: " + e);
}
}
function checkRunningEnvironment() {
try {
var Build = Java.use("android.os.Build");
// 检查构建类型
if (Build.TYPE.value === "eng" || Build.TYPE.value === "userdebug") {
triggerAntiDebugResponse("Running on debug build");
}
// 检查标签
if (Build.TAGS.value.includes("test-keys")) {
triggerAntiDebugResponse("Running with test keys");
}
} catch (e) {
console.log("[-] Environment check error: " + e);
}
}
function checkDebuggingState() {
try {
var Debug = Java.use("android.os.Debug");
// 定期检查调试状态
setInterval(function() {
if (Debug.isDebuggerConnected()) {
triggerAntiDebugResponse("Debugger connected");
}
if (Debug.waitingForDebugger()) {
triggerAntiDebugResponse("Waiting for debugger");
}
}, 3000);
} catch (e) {
console.log("[-] Debugging state check error: " + e);
}
}
function checkEmulatorEnvironment() {
try {
var Build = Java.use("android.os.Build");
var emulatorIndicators = [
{ field: "FINGERPRINT", patterns: ["generic", "unknown"] },
{ field: "MODEL", patterns: ["google_sdk", "Emulator", "Android SDK"] },
{ field: "MANUFACTURER", patterns: ["Genymotion", "unknown"] },
{ field: "BRAND", patterns: ["generic", "google"] }
];
emulatorIndicators.forEach(function(indicator) {
var fieldValue = Build[indicator.field].value.toLowerCase();
indicator.patterns.forEach(function(pattern) {
if (fieldValue.includes(pattern.toLowerCase())) {
triggerAntiDebugResponse("Emulator detected: " + indicator.field + " = " + fieldValue);
}
});
});
} catch (e) {
console.log("[-] Emulator check error: " + e);
}
}
function implementDynamicProtection() {
try {
// 1. 动态代码生成
generateDynamicCode();
// 2. 运行时多态
implementRuntimePolymorphism();
// 3. 自修改代码
implementSelfModifyingCode();
} catch (e) {
console.log("[-] Dynamic protection error: " + e);
}
}
function generateDynamicCode() {
// 动态生成检测代码
var detectionCode = function() {
var timestamp = Date.now();
var randomValue = Math.random();
// 基于时间和随机数生成检测逻辑
if ((timestamp + randomValue) % 2 < 1) {
performRandomDetection();
}
};
// 定期执行动态生成的代码
setInterval(detectionCode, 7000);
}
function implementRuntimePolymorphism() {
// 运行时改变检测方法的行为
var detectionMethods = [
function() { checkMethodHookTraces(); },
function() { checkMemorySignatures(); },
function() { checkNetworkConnections(); }
];
setInterval(function() {
var randomIndex = Math.floor(Math.random() * detectionMethods.length);
detectionMethods[randomIndex]();
}, 5000);
}
function implementSelfModifyingCode() {
// 自修改代码示例(概念性)
var modificationCounter = 0;
function selfModifyingDetection() {
modificationCounter++;
// 根据调用次数改变行为
if (modificationCounter % 3 === 0) {
checkAbnormalClassLoaders();
} else if (modificationCounter % 3 === 1) {
checkMethodHookTraces();
} else {
checkMemorySignatures();
}
}
setInterval(selfModifyingDetection, 8000);
}
// 反调试响应函数
function triggerAntiDebugResponse(reason) {
console.log("[ANTI-DEBUG] Triggered: " + reason);
// 响应策略
var responses = [
function() {
// 退出应用
var System = Java.use("java.lang.System");
System.exit(0);
},
function() {
// 抛出异常
throw new Error("Security violation detected");
},
function() {
// 清除敏感数据
clearSensitiveData();
},
function() {
// 发送警报到服务器
sendSecurityAlert(reason);
}
];
// 随机选择响应策略
var randomResponse = responses[Math.floor(Math.random() * responses.length)];
setTimeout(function() {
try {
randomResponse();
} catch (e) {
console.log("[-] Anti-debug response error: " + e);
}
}, Math.random() * 2000); // 随机延迟
}
// 辅助函数
function performHiddenDetection() {
// 隐藏的检测逻辑
try {
var Thread = Java.use("java.lang.Thread");
var currentThread = Thread.currentThread();
var threadName = currentThread.getName();
if (threadName.includes("frida") || threadName.includes("gum")) {
triggerAntiDebugResponse("Frida thread detected: " + threadName);
}
} catch (e) {
console.log("[-] Hidden detection error: " + e);
}
}
function performRandomDetection() {
var detections = [
checkAbnormalClassLoaders,
checkMethodHookTraces,
checkMemorySignatures
];
var randomDetection = detections[Math.floor(Math.random() * detections.length)];
randomDetection();
}
function calculateChecksum(data) {
var checksum = 0;
for (var i = 0; i < data.length; i++) {
checksum += data.charCodeAt(i);
}
return checksum;
}
function bytesToHex(bytes) {
var hex = "";
for (var i = 0; i < bytes.length; i++) {
var byte = bytes[i] & 0xFF;
hex += ("0" + byte.toString(16)).slice(-2);
}
return hex.toUpperCase();
}
function clearSensitiveData() {
// 清除敏感数据的逻辑
console.log("[Security] Clearing sensitive data");
}
function sendSecurityAlert(reason) {
// 发送安全警报到服务器
console.log("[Security] Sending alert: " + reason);
}
总结
Frida 安全研究与防护对抗的核心要点:
🎯 检测技术
- 多层检测:进程、文件、端口、库文件、内存模式
- 行为分析:网络活动、系统调用、异常模式
- 环境检测:调试器、模拟器、系统属性
- 动态监控:实时检测和持续监控
✅ 防护策略
- 代码混淆和反调试技术
- 完整性检查和签名验证
- 动态防护和自修改代码
- 多重响应机制
🚀 对抗演进
- 检测技术的不断升级
- 绕过方法的持续发展
- 攻防技术的螺旋上升
- 新技术的应用和适应
💡 平衡考虑
- 安全性与性能的平衡
- 用户体验与防护强度
- 成本效益与安全收益
- 合规性与技术实现
⚠️ 道德和法律
- 合法合规的安全研究
- 负责任的漏洞披露
- 技术滥用的防范
- 隐私保护的重视
理解攻防对抗的本质,构建更安全的应用生态!
安全研究应当在合法合规的框架内进行,技术的发展应当服务于提升整体安全水平的目标。