DetectFrida
This project has 3 ways to detect frida hooking
- Detect through named pipes used by Frida
- Detect through frida specific named thread
- Compare text section in memory with text section in disk for both libc and native library
More details can be found in my blog -> DetectFrida
Also this project has 3 mechanisms to harden the native code
- Replace certain libc calls with syscalls
- Replace string,memory related operation with custom implementation
- Apply O-LLVM native obfuscation
More details can be found in my blog -> Hardening Native Code
arm64, armv7a, x86_64 architectures are supported in this project. The hardened APK is provided for interested reverse engineers to analyze.
Updates
- Re-aligned functions
- Fix scanning of executable sections only if it is readable to avoid crashes when app is targetting API 29
- Stripped comment section in native library to prevent APKId detecting O-LLVM obfuscator is used
- Updated Target API to 30
- Updated Obfuscator-LLVM to OLLVM-TLL
- Fixed false positives found in Android 10 and Android 11. Now the memdisk compare checks the PLT and TEXT sections of libc and native library in a proper way
- Memdisk comparison approach is frida agnostic, hence frida specific signature changes does not bypass this detection mechanism.
Note
Henceforth, Please don't raise issue asking for OLLVM binary for Windows. PRs welcome.