Closed jackzhouse closed 2 years ago
darvincisec
commented
2 years ago You can modify the below functions to return a status indicating frida detection. These calls can be included at any point you wanted to check but beware of the performance impacts.
detect_frida_threads detect_frida_namedpipe detect_frida_memdiskcompare
Also you can remove the detect_frida_loop to avoid calling the above 3 APIs in loop. For crashing, refer to code snippets in my other project AntidebugandMemoryDump
patuoynageek
commented
2 years ago Is there no crash built into the project? Is the below crash is not intentional?
2021-08-09 10:29:51.930 21882-21882/com.darvin.security V/DetectFrida: Libc[38][3e][3f][39][4e][65]
2021-08-09 10:29:51.970 3753-4031/? D/MdnieScenarioControlService: packageName : com.darvin.security className : com.darvin.security.MainActivity
2021-08-09 10:29:51.976 3753-3762/? I/art: Background partial concurrent mark sweep GC freed 163988(13MB) AllocSpace objects, 33(716KB) LOS objects, 23% free, 52MB/68MB, paused 2.656ms total 178.015ms
2021-08-09 10:29:51.981 21882-21882/com.darvin.security W/art: Before Android 4.1, method android.graphics.PorterDuffColorFilter androidx.vectordrawable.graphics.drawable.VectorDrawableCompat.updateTintFilter(android.graphics.PorterDuffColorFilter, android.content.res.ColorStateList, android.graphics.PorterDuff$Mode) would have incorrectly overridden the package-private method in android.graphics.drawable.Drawable
2021-08-09 10:29:52.002 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.004 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.004 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.007 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.007 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.009 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.009 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.012 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
2021-08-09 10:29:52.012 21882-21910/com.darvin.security V/DetectFrida: Executable Section Manipulated, maybe due to Frida or other hooking framework.Act Now!!!
--------- beginning of crash
2021-08-09 10:29:52.015 21882-21910/com.darvin.security A/libc: Fatal signal 11 (SIGSEGV), code 2, fault addr 0x77756df000 in tid 21910 (darvin.security)
2021-08-09 10:29:52.086 21911-21911/? A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
2021-08-09 10:29:52.086 21911-21911/? A/DEBUG: Build fingerprint: 'samsung/zerofltexx/zeroflte:7.0/NRD90M/G920FXXU6ERC9:user/release-keys'
2021-08-09 10:29:52.086 21911-21911/? A/DEBUG: Revision: '11'
2021-08-09 10:29:52.086 21911-21911/? A/DEBUG: ABI: 'arm64'
2021-08-09 10:29:52.086 21911-21911/? A/DEBUG: pid: 21882, tid: 21910, name: darvin.security >>> com.darvin.security <<<
2021-08-09 10:29:52.086 21911-21911/? A/DEBUG: signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x77756df000
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x0 0000000000000066 x1 00000077758a6d26 x2 0000000000000000 x3 0000000000000045
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x4 0000000000000021 x5 0000000080000000 x6 0000007777bf8000 x7 0000000000000000
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x8 00000077756df000 x9 00000077756df001 x10 0000000000000001 x11 0101010101010101
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x12 0000000000000018 x13 0000000000000000 x14 0000000000000000 x15 0000be32a28cdb30
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x16 00000077758aca18 x17 0000007775642348 x18 00000000ffffffff x19 00000077725d6450
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x20 00000077725d64d0 x21 000000000000557a x22 00000077727accd8 x23 0000000000000000
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x24 00000077725d64d0 x25 00000000000fd000 x26 136bbfcc69b2628a x27 0000000000000058
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: x28 0000000000000000 x29 00000077725d63d0 x30 00000077727adce0
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: sp 00000077725d5680 pc 00000077727adc84 pstate 0000000080000000
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: backtrace:
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: #00 pc 0000000000002c84 /data/app/com.darvin.security-1/lib/arm64/libnative-lib.so
2021-08-09 10:29:52.087 21911-21911/? A/DEBUG: #01 pc 0000000000043258 /system/lib64/libc.so (offset 0x25000)
2021-08-09 10:29:52.560 4469-4469/? D/io_stats: !@ 8,0 r 338811 14041444 w 82521 3094788 d 8049 1855040 f 32596 32583 iot 153920 115862 th 61440 0 0 pt 0 inp 0 0 6125.803
2021-08-09 10:29:52.631 3753-21921/? W/ActivityManager: Force finishing activity com.darvin.security/.MainActivityI have two Samsung Galaxy S6 devices, 1 root and 1 stock. The above crash only happens to the rooted S6
Apologies if this is wrong thread to reply on, I can create a new issue if needed
darvincisec
commented
2 years ago It is not an intentional crash. Could be related to accessing an invalid memory. Can you confirm there is no other hooking frameworks attached to the app?
patuoynageek
commented
2 years ago I retested it
Looks like it won't crash on a rooted phone when frida server is running or hooking onto other apps BUT when this library's application is first hooked, it will crash
nageek@Nageeks-MacBook-Pro Downloads % frida-trace -U -i open "My Application"
Instrumenting...
open: Loaded handler at "/Users/nageek/Downloads/__handlers__/libc.so/open.js"
Started tracing 1 function. Press Ctrl+C to stop.
/* TID 0x660b */
2560 ms open(path="/proc/self/task", oflag=0x84000)
2567 ms open(path="/proc/self/fd", oflag=0x84000)
Process crashed: Bad access due to protection failure
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zerofltexx/zeroflte:7.0/NRD90M/G920FXXU6ERC9:user/release-keys'
Revision: '11'
ABI: 'arm64'
pid: 26078, tid: 26123, name: e.myapplication >>> com.example.myapplication <<<
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x74e466b000
x0 0000000000000000 x1 000000000000660b x2 000000000000000b x3 00000074dff14420
x4 8080800000008000 x5 0080000000808080 x6 0080000000808080 x7 0000000000000000
x8 00000000000000f0 x9 ca6e04009ab490ca x10 ffffffffffffffff x11 0000000000000000
x12 0000000000000008 x13 0000000000000000 x14 0000000000000000 x15 0026e60d3c28de3e
x16 00000074dff13400 x17 00000074dff132cf x18 00000000ffffffff x19 000000000000000b
x20 00000074dff14420 x21 000000000000660b x22 000000000000004c x23 00000074dff164f8
x24 00000074dff14420 x25 0000000000000000 x26 0000000000000001 x27 00000074e13fc720
x28 0000000000000000 x29 00000074dff140f0 x30 00000074e5d90218
sp 00000074dff13ff0 pc 00000074e5ded900 pstate 0000000000000000
backtrace:
#00 pc 0000000000064900 /system/bin/linker64 (__dl_syscall+32)
#01 pc 0000000000007214 /system/bin/linker64 (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1116)
#02 pc 000000000000c6c4 /system/bin/app_process64 (InvokeUserSignalHandler+300)
#03 pc 00000000001ae370 /system/lib64/libart.so (_ZN3art12FaultManager11HandleFaultEiP7siginfoPv+360)
#04 pc 00000000002a74a0 /data/local/tmp/re.frida.server/frida-agent-64.so
***Once the above has caused the crash once, subsequent app launch will crash even if I have ended the tracing
i just implement your code from github, just see this Log if app is running
V/DetectFrida: Libc[38][3e][3f][39][4e][65]
but i confuse how to implement if frida is detected then app crash / something else