安卓逆向环境检测--抓包

YoooHaaa

已于 2023-09-20 15:12:52 修改

阅读量868

点赞数 2

分类专栏：安卓逆向文章标签： android

于 2023-06-26 15:00:04 首次发布

本文链接：https://blog.csdn.net/weixin_44348983/article/details/131397601

版权

安卓逆向专栏收录该内容

23 篇文章 16 订阅

订阅专栏

一、代理检测

一般是通过getProperty方法拿到 http.proxyHost 和 http.proxyPort 字段的值，代码如下

UNEXPORT void AntiCapture::check_proxy(JNIEnv *env) {
    jstring jsproxyHost = env->NewStringUTF(GlobalString::encrypt(GlobalString::str_AntiCapture_proxyHost));
    jstring jsproxyPort = env->NewStringUTF(GlobalString::encrypt(GlobalString::str_AntiCapture_proxyPort));

    jstring proxyHost = static_cast<jstring>(Method::callStaticMethodObject(env, GlobalString::encrypt(GlobalString::str_AntiCapture_System),
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_getProperty),
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_SiggetProperty),
                                                                            jsproxyHost));
    jstring proxyPort = static_cast<jstring>(Method::callStaticMethodObject(env, GlobalString::encrypt(GlobalString::str_AntiCapture_System),
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_getProperty),
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_SiggetProperty),
                                                                            jsproxyPort));


    char* cproxyHost = const_cast<char *>(env->GetStringUTFChars(proxyHost, nullptr));
    char* cproxyPort = const_cast<char *>(env->GetStringUTFChars(proxyPort, nullptr));

    LOGI("native http.proxyHost = %s", cproxyHost);
    LOGI("native http.proxyPort = %s", cproxyPort);

    if (Str::strlen(const_cast<char *>(cproxyHost)) >= 2 && Str::strlen(const_cast<char *>(cproxyPort)) >= 2){
        //TODO 开启代理
        LOGI("check_proxy find proxy");
    }

    env->ReleaseStringUTFChars(proxyHost, cproxyHost);
    env->ReleaseStringUTFChars(proxyPort, cproxyPort);
    env->DeleteLocalRef(jsproxyHost);
    env->DeleteLocalRef(jsproxyPort);
}

二、VPN检测

一般是遍历NetworkInterface的name，判断是否为tun0或者ppp0，代码如下：

UNEXPORT void AntiCapture::check_VPN(JNIEnv *env) {
    jobject objEnumeration = Method::callStaticMethodObject(env,
                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_NetworkInterface),
                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_getNetworkInterfaces),
                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_Enumeration));
    LOGI("check_VPN objEnumeration %p", objEnumeration);
    if (objEnumeration != 0){
        jobject objArrayList = Method::callStaticMethodObject(env,
                                                              GlobalString::encrypt(GlobalString::str_AntiCapture_Collections),
                                                              GlobalString::encrypt(GlobalString::str_AntiCapture_list),
                                                              GlobalString::encrypt(GlobalString::str_AntiCapture_Siglist),
                                                              objEnumeration);
        LOGI("check_VPN objArrayList %p", objArrayList);

        jint len = Method::callMethodInt(env, objArrayList,
                                         GlobalString::encrypt(GlobalString::str_AntiCapture_ArrayList),
                                         GlobalString::encrypt(GlobalString::str_AntiCapture_size),
                                         GlobalString::encrypt(GlobalString::str_AntiCapture_Sigsize));
        LOGI("check_VPN len %d", len);

        for (int i = 0; i < len; i++){
            jobject objNetworkInterface = Method::callMethodObject(env, objArrayList,
                                                                   GlobalString::encrypt(GlobalString::str_AntiCapture_ArrayList),
                                                                   GlobalString::encrypt(GlobalString::str_AntiCapture_get),
                                                                   GlobalString::encrypt(GlobalString::str_AntiCapture_Object),
                                                                   i);
            LOGI("check_VPN objNetworkInterface %p  i=%d", objNetworkInterface, i);

            jboolean bIsUp = Method::callMethodBoolean(env, objNetworkInterface,
                                                       GlobalString::encrypt(GlobalString::str_AntiCapture_NetworkInterface),
                                                       GlobalString::encrypt(GlobalString::str_AntiCapture_isUp),
                                                       GlobalString::encrypt(GlobalString::str_AntiCapture_SigisUp));
            if (!bIsUp){
                continue;
            }

            jobject objInterfaceAddresses = Method::callMethodObject(env, objNetworkInterface,
                                                                     GlobalString::encrypt(GlobalString::str_AntiCapture_NetworkInterface),
                                                                     GlobalString::encrypt(GlobalString::str_AntiCapture_getInterfaceAddresses),
                                                                     GlobalString::encrypt(GlobalString::str_AntiCapture_List));
            LOGI("check_VPN objInterfaceAddresses %p", objInterfaceAddresses);

            jint size = Method::callMethodInt(env, objInterfaceAddresses,
                                                GlobalString::encrypt(GlobalString::str_AntiCapture_List),
                                                GlobalString::encrypt(GlobalString::str_AntiCapture_size),
                                                GlobalString::encrypt(GlobalString::str_AntiCapture_Sigsize));
            LOGI("check_VPN size %d", size);
            if (size == 0){
                continue;
            }

            jstring jsName = static_cast<jstring>(Method::callMethodObject(env,
                                                                            objNetworkInterface,
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_NetworkInterface),
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_getName),
                                                                            GlobalString::encrypt(GlobalString::str_AntiCapture_String)));
            LOGI("check_VPN jsName %p", jsName);

            jboolean jb = false;
            const char* charName = (env->GetStringUTFChars(jsName, &jb));
            LOGI("check_VPN charName  ------------------------> < %s >", charName);

            if (Str::strcmp(const_cast<char *>(charName), const_cast<char *>(GlobalString::encrypt(GlobalString::str_AntiCapture_tun0))) == 0 ||
                    Str::strcmp(const_cast<char *>(charName), const_cast<char *>(GlobalString::encrypt(GlobalString::str_AntiCapture_ppp0))) == 0){
                // TODO 发现开启VPN
                LOGI("check_VPN   ----------------------------------> 发现开启VPN");
            }

            env->ReleaseStringUTFChars(jsName, charName);
        }
    }
    LOGI("check_VPN over");
}

说明：我整个项目的代码都是用native实现，还加了字符串解密，上面两部分代码中的原字符串如下：

    static ENCRYPTSTRING str_AntiCapture_proxyHost;            // http.proxyHost
    static ENCRYPTSTRING str_AntiCapture_proxyPort;            // http.proxyPort
    static ENCRYPTSTRING str_AntiCapture_System;               // java/lang/System
    static ENCRYPTSTRING str_AntiCapture_getProperty;          // getProperty
    static ENCRYPTSTRING str_AntiCapture_SiggetProperty;       // (Ljava/lang/String;)Ljava/lang/String;
    static ENCRYPTSTRING str_AntiCapture_NetworkInterface;     // java/net/NetworkInterface
    static ENCRYPTSTRING str_AntiCapture_getNetworkInterfaces; // getNetworkInterfaces
    static ENCRYPTSTRING str_AntiCapture_Enumeration;          // ()Ljava/util/Enumeration;
    static ENCRYPTSTRING str_AntiCapture_Collections;          // java/util/Collections
    static ENCRYPTSTRING str_AntiCapture_list;                 // list
    static ENCRYPTSTRING str_AntiCapture_Siglist;              // (Ljava/util/Enumeration;)Ljava/util/ArrayList;
    static ENCRYPTSTRING str_AntiCapture_ArrayList;            // java/util/ArrayList
    static ENCRYPTSTRING str_AntiCapture_size;                 // size
    static ENCRYPTSTRING str_AntiCapture_Sigsize;              // ()I
    static ENCRYPTSTRING str_AntiCapture_get;                  // get
    static ENCRYPTSTRING str_AntiCapture_Object;               // (I)Ljava/lang/Object;
    static ENCRYPTSTRING str_AntiCapture_isUp;                 // isUp
    static ENCRYPTSTRING str_AntiCapture_SigisUp;              // ()Z
    static ENCRYPTSTRING str_AntiCapture_getInterfaceAddresses;// getInterfaceAddresses
    static ENCRYPTSTRING str_AntiCapture_List;                 // ()Ljava/util/List;
    static ENCRYPTSTRING str_AntiCapture_getName;              // getName
    static ENCRYPTSTRING str_AntiCapture_String;               // ()Ljava/lang/String;
    static ENCRYPTSTRING str_AntiCapture_tun0;                 // tun0
    static ENCRYPTSTRING str_AntiCapture_ppp0;                 // ppp0