恶意用户识别？——Java 层反模拟器、反Hook、反多开技巧

2401_84002730

于 2024-05-03 10:35:03 发布

阅读量576

点赞数 26

分类专栏：程序员文章标签： java python 开发语言

本文链接：https://blog.csdn.net/2401_84002730/article/details/138411419

版权

程序员专栏收录该内容

196 篇文章 0 订阅

订阅专栏

Build.MODEL.equals(“Android SDK built for x86”)) {
return true;
}
if (Build.HARDWARE.equals(“vbox86”) ||
Build.HARDWARE.contains(“nox”) ||
Build.HARDWARE.contains(“ttVM_x86”)) {
return true;
}
if (Build.FINGERPRINT.contains(“generic/sdk/generic”) ||
Build.FINGERPRINT.contains(“generic_x86/sdk_x86/generic_x86”) ||
Build.FINGERPRINT.contains(“Andy”) ||
Build.FINGERPRINT.contains(“ttVM_Hdragon”) ||
Build.FINGERPRINT.contains(“generic/google_sdk/generic”) ||
Build.FINGERPRINT.contains(“vbox86p”) ||
Build.FINGERPRINT.contains(“generic/vbox86p/vbox86p”)) {
return true;
}
return false;
}

还有的特征只是疑似，但不确定，对于这些特征，可以集合起来做一个疑似度评分，评分达到一定程度就标记为模拟器：

int newRating = 0;
if (rating < 0) {
if (Build.PRODUCT.contains(“sdk”) ||
Build.PRODUCT.contains(“Andy”) ||
Build.PRODUCT.contains(“ttVM_Hdragon”) ||
Build.PRODUCT.contains(“google_sdk”) ||
Build.PRODUCT.contains(“Droid4X”) ||
Build.PRODUCT.contains(“nox”) ||
Build.PRODUCT.contains(“sdk_x86”) ||
Build.PRODUCT.contains(“sdk_google”) ||
Build.PRODUCT.contains(“vbox86p”)) {
newRating++;
}

if (Build.MANUFACTURER.equals(“unknown”) ||
Build.MANUFACTURER.equals(“Genymotion”) ||
Build.MANUFACTURER.contains(“Andy”) ||
Build.MANUFACTURER.contains(“MIT”) ||
Build.MANUFACTURER.contains(“nox”) ||
Build.MANUFACTURER.contains(“TiantianVM”)) {
newRating++;
}

if (Build.BRAND.equals(“generic”) ||
Build.BRAND.equals(“generic_x86”) ||
Build.BRAND.equals(“TTVM”) ||
Build.BRAND.contains(“Andy”)) {
newRating++;
}

if (Build.DEVICE.contains(“generic”) ||
Build.DEVICE.contains(“generic_x86”) ||
Build.DEVICE.contains(“Andy”) ||
Build.DEVICE.contains(“ttVM_Hdragon”) ||
Build.DEVICE.contains(“Droid4X”) ||
Build.DEVICE.contains(“nox”) ||
Build.DEVICE.contains(“generic_x86_64”) ||
Build.DEVICE.contains(“vbox86p”)) {
newRating++;
}

if (Build.MODEL.equals(“sdk”) ||
Build.MODEL.contains(“Emulator”) ||
Build.MODEL.equals(“google_sdk”) ||
Build.MODEL.contains(“Droid4X”) ||
Build.MODEL.contains(“TiantianVM”) ||
Build.MODEL.contains(“Andy”) ||
Build.MODEL.equals(“Android SDK built for x86_64”) ||
Build.MODEL.equals(“Android SDK built for x86”)) {
newRating++;
}

if (Build.HARDWARE.equals(“goldfish”) ||
Build.HARDWARE.equals(“vbox86”) ||
Build.HARDWARE.contains(“nox”) ||
Build.HARDWARE.contains(“ttVM_x86”)) {
newRating++;
}

if (Build.FINGERPRINT.contains(“generic/sdk/generic”) ||
Build.FINGERPRINT.contains(“generic_x86/sdk_x86/generic_x86”) ||
Build.FINGERPRINT.contains(“Andy”) ||
Build.FINGERPRINT.contains(“ttVM_Hdragon”) ||
Build.FINGERPRINT.contains(“generic_x86_64”) ||
Build.FINGERPRINT.contains(“generic/google_sdk/generic”) ||
Build.FINGERPRINT.contains(“vbox86p”) ||
Build.FINGERPRINT.contains(“generic/vbox86p/vbox86p”)) {
newRating++;
}

try {
String opengl = android.opengl.GLES20.glGetString(android.opengl.GLES20.GL_RENDERER);
if (opengl != null) {
if (opengl.contains(“Bluestacks”) ||
opengl.contains(“Translator”)
)
newRating += 10;
}
} catch (Exception e) {
e.printStackTrace();
}

try {
File sharedFolder = new File(Environment
.getExternalStorageDirectory().toString()

File.separatorChar
“windows”
File.separatorChar
“BstSharedFolder”);

if (sharedFolder.exists()) {
newRating += 10;
}
} catch (Exception e) {
e.printStackTrace();
}
rating = newRating;
}
return rating > 3;//不能再少了，否则有可能误判，若增减了新的嫌疑度判定属性，要重新评估该值

Anti 多开

多开麻烦在于真机多开，具备真机特征，模拟器的检测就失效了，因为它就是真机。应对方法：普通的软多开，一般绕不过uid，还是用宿主的。因此，如果满足同一uid下的两个进程对应的包名，在"/data/data"下有两个私有目录，则违背了系统 "只为一个应用创建唯一一个私有目录"的设定，则该应用被多开了。

public static boolean isRunInVirtual() {

String filter = getUidStrFormat();

String result = exec(“ps”);
if (result == null || result.isEmpty()) {
return false;
}

String[] lines = result.split(“\n”);
if (lines == null || lines.length <= 0) {
return false;
}

int exitDirCount = 0;

for (int i = 0; i < lines.length; i++) {
if (lines[i].contains(filter)) {
int pkgStartIndex = lines[i].lastIndexOf(" “);
String processName = lines[i].substring(pkgStartIndex <= 0
? 0 : pkgStartIndex + 1, lines[i].length());
File dataFile = new File(String.format(”/data/data/%s",
processName, Locale.CHINA));
if (dataFile.exists()) {
exitDirCount++;
}
}
}

return exitDirCount > 1;
}

这个方法是在简书 JZaratustra 大佬的文章里学到的：Android虚拟机多开检测。但是有一些多开，比如小米自带的多开这种，进程好像都是隔离的独立uid的，暂时没有好办法识别。

Anti Hook

不多说了，方法都被你Hook了，你就是大爷，你说啥就是啥。应对方法：检测是否安装了xposed相关应用，检测调用栈道的可疑方法，检测并不应该native的native方法，通过/proc/[pid]/maps检测可疑的共享对象或者JAR。

检测是否安装了xposed相关应用

PackageManager packageManager = context.getPackageManager();
List applicationInfoList = packageManager.getInstalledApplications(PackageManager.GET_META_DATA);

for(ApplicationInfo applicationInfo : applicationInfoList) {
if(applicationInfo.packageName.equals(“de.robv.android.xposed.installer”)) {
Log.wtf(“HookDetection”, “Xposed found on the system.”);
}
if(applicationInfo.packageName.equals(“com.saurik.substrate”)) {
Log.wtf(“HookDetection”, “Substrate found on the system.”);
}
}

检测调用栈道的可疑方法

try {
throw new Exception(“blah”);

知其然不知其所以然，大厂常问面试技术如何复习？

1、热门面试题及答案大全

面试前做足功夫，让你面试成功率提升一截，这里一份热门350道一线互联网常问面试题及答案助你拿offer

2、多线程、高并发、缓存入门到实战项目pdf书籍

3、文中提到面试题答案整理

4、Java核心知识面试宝典

覆盖了JVM 、JAVA集合、JAVA多线程并发、JAVA基础、Spring原理、微服务、Netty与RPC、网络、日志、Zookeeper、Kafka、RabbitMQ、Hbase、MongoDB 、Cassandra、设计模式、负载均衡、数据库、一致性算法、JAVA算法、数据结构、算法、分布式缓存、Hadoop、Spark、Storm的大量技术点且讲解的非常深入

本文已被CODING开源项目：【一线大厂Java面试题解析+核心总结学习笔记+最新讲解视频+实战项目源码】收录

…(img-b8MxYxLp-1714703685918)]

[外链图片转存中…(img-BeppyDjI-1714703685918)]

[外链图片转存中…(img-OOpjnj3Q-1714703685918)]

本文已被CODING开源项目：【一线大厂Java面试题解析+核心总结学习笔记+最新讲解视频+实战项目源码】收录

2401_84002730

关注

26
点赞
踩
17

收藏

觉得还不错? 一键收藏
0
评论
恶意用户识别？——Java 层反模拟器、反Hook、反多开技巧

还有的特征只是疑似，但不确定，对于这些特征，可以集合起来做一个疑似度评分，评分达到一定程度就标记为模拟器：try {if (opengl!= null) {try {//不能再少了，否则有可能误判，若增减了新的嫌疑度判定属性，要重新评估该值。
复制链接

扫一扫