用JNI的方式来检测Android Service Hook爆破签名校验

文章资讯 2019-09-21 11:21:00

用JNI的方式来检测Android Service Hook爆破签名校验

被爆破签名校验.
这里我使用JNI方式来实现,也就是C++来编写.
代码如下:

int isHookPMS(JNIEnv *env){
        jobject cPMSO = getCurrentPMSObject(env);
        jclass cPMSC = (*env)->GetObjectClass(env, cPMSO);
        jclass cPMSFC =(*env)->GetSuperclass(env,cPMSC);
        jclass proxyClass = (*env)->FindClass(env,"java/lang/reflect/Proxy");
       if((*env)->IsAssignableFrom(env,  cPMSFC,proxyClass)){
                //PMS被Hook
        (*env)->DeleteLocalRef(env, cPMSO);
        (*env)->DeleteLocalRef(env, cPMSC);
        (*env)->DeleteLocalRef(env, cPMSFC);
        (*env)->DeleteLocalRef(env, proxyClass);
                return 1;
        }else{
        (*env)->DeleteLocalRef(env, cPMSO);
        (*env)->DeleteLocalRef(env, cPMSC);
        (*env)->DeleteLocalRef(env, cPMSFC);
        (*env)->DeleteLocalRef(env, proxyClass);
        return 0;
        }
}


jobject getCurrentPMSObject(JNIEnv *env){
        jclass activityThreadClass = (*env)->FindClass(env,"android/app/ActivityThread");
        jmethodID currentActivityThreadMethod = (*env)->
                   GetStaticMethodID(env,activityThreadClass,"currentActivityThread","()Landroid/app/ActivityThread;");
        jobject currentActivityThread = (*env)->CallStaticObjectMethod(env,activityThreadClass,currentActivityThreadMethod);
        jfieldID sPackageManagerFieldId = (*env)->GetStaticFieldID(env,activityThreadClass,"sPackageManager","Landroid/content/pm/IPackageManager;");
        jobject sPackageManager = (*env)->GetStaticObjectField(env,currentActivityThread,sPackageManagerFieldId);
        (*env)->DeleteLocalRef(env, activityThreadClass);
        (*env)->DeleteLocalRef(env, currentActivityThreadMethod);
        (*env)->DeleteLocalRef(env, currentActivityThread);
        return sPackageManager;
}

测试APP链接:https://pan.baidu.com/s/1q4hPBivmyns98dMwAbGBMQ 提取码:5168