[INFO] How to bypass xposeddetector?

[ghost]

While I'm developing a test module for Xposed (EdXPosed), I found an app which use XposedDetector for clear my hooks. I opened an issue on https://github.com/LSPosed/LSPosed/issues/269 and https://github.com/ElderDrivers/EdXposed/issues/841 because I didn't think there was such a possibility and the same algorithm with frida was working. Thank you the suggestion of @yujincheng08 https://github.com/LSPosed/LSPosed/issues/269#issuecomment-791298500 I discovered the existence of this detector. The clear hooks can't bypassed with native hooks, because the clear is done into System.loadLibrary, so without load native methods doesn't work. I found a partial solution, patch the shared library so xposed is not detected and the hooks is not cleared.

sed -i 's/<partial string in fill_de_robv_android_xposed_XposedBridge>/xxxxxxx/' libdetector.so

Maybe it can be done with memory patching without edit shared library, but is out of my abilities.

[yujincheng08]

I don't think you will get solutions here.

[vvb2060]

You should try it yourself, we have introduced native hooks.

[ghost]

@vvb2060 with native hooks I can't override internal functions of shared library, when loadLibrary is called all hooks are lost. I got an idea, while I'm writing, I can hook loadLibrary and after I set my hooks, I don't know if works, I will try.

@yujincheng08 I got already a solution, it's not elegant but works, my issue is not a question but just a share of my idea.

[ghost]

@vvb2060 I tested the hook after loadLibrary and works with LSPosed but not with EdXposed.

Class<?> s = XposedHelpers.findClass("java.lang.System", classLoader);
XposedHelpers.findAndHookMethod(s, "loadLibrary", String.class, new XC_MethodReplacement() {
    @Override
    protected Object replaceHookedMethod(MethodHookParam param) throws Throwable
    {
        logV("Before load library " + param.args[0].toString());
        Class<?> run = XposedHelpers.findClass("java.lang.Runtime", classLoader);
        Method m2 = run.getDeclaredMethod("loadLibrary0", ClassLoader.class, String.class);
        m2.setAccessible(true);
        m2.invoke(Runtime.getRuntime(), classLoader, param.args[0].toString());
        logV("Loaded");

        Class<?> b = XposedHelpers.findClass("io.github.vvb2060.xposeddetector.MainActivity", classLoader);
        if(b!=null)
        {
            logV("Try Hook after load");
            XC_MethodHook.Unhook un = XposedHelpers.findAndHookMethod(b, "onPause", new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable
                {
                    logV("Hook method onPause after load library");
                }
            });
            logV("HookL " + un.toString());
        }
        return null;
    }
});

Here the result

03-13 05:24:11.274  4298  4298 V XIntentLog: Before load library vvb2060
03-13 05:24:11.276  4298  4298 V XIntentLog: Loaded
03-13 05:24:11.276  4298  4298 V XIntentLog: Try Hook after load
03-13 05:24:11.299  4298  4298 V XIntentLog: HookL de.robv.android.xposed.XC_MethodHook$Unhook@1eb2edd
03-13 05:24:17.458  4298  4298 V XIntentLog: Hook method onPause after load library
03-13 05:24:17.458  4298  4298 I XposedDetector: onPause
03-13 05:24:22.946  4298  4298 V XIntentLog: Hook method onPause after load library
03-13 05:24:22.946  4298  4298 I XposedDetector: onPause
03-13 05:24:30.029  4298  4298 V XIntentLog: Hook method onPause after load library
03-13 05:24:30.029  4298  4298 I XposedDetector: onPause

I don't know because doesn't work with EdXposed maybe the module xposeddetector not clear all correctly with LSPosed, so I can make hook after the loadlibrary. This was just for fun, may will be useful for someone.

[ghost]

You should try it yourself, we have introduced native hooks.

after a month I developed my first module with native hooks. I started from LSPosed/XposedUnitTest, I removed dependency with dobby from CMakeLists.txt

add_library(check_and_bypass SHARED main.cpp)
find_library(log-lib log)
target_link_libraries(check_and_bypass ${log-lib})

here the code:

#include <jni.h>
#include <cstring>
#include <dlfcn.h>
#include "native_api.h"

HookFunType hook_func = nullptr;

jclass (*orig_FindClass)(JNIEnv *env, const char *name);
jclass fake_FindClass(JNIEnv *env, const char *name)
{
    if(!strcmp(name, "dalvik/system/BaseDexClassLoader"))
        return nullptr;
    return orig_FindClass(env, name);
}

jint (*orig_JNI_OnLoad)(JavaVM *jvm, jobject x);
jint fake_JNI_OnLoad(JavaVM *jvm, jobject x)
{
    JNIEnv *env = nullptr;
    jvm->GetEnv(reinterpret_cast<void **>(&env), JNI_VERSION_1_6);
    if(env!=nullptr)
        hook_func((void *)env->functions->FindClass, (void *)fake_FindClass, (void **)&orig_FindClass);
    return orig_JNI_OnLoad(jvm, x);
}

void on_library_loaded(const char* name, void* handle)
{
    void *jnionload = dlsym(handle, "JNI_OnLoad");
    if(jnionload != nullptr)
        hook_func(jnionload, (void *)fake_JNI_OnLoad, (void **)&orig_JNI_OnLoad);
}

extern "C" __attribute__((visibility("default"))) void native_init(void* init)
{
    auto lsp_init = reinterpret_cast<LSPInit>(init);
    auto apis = lsp_init(on_library_loaded);
    hook_func = apis.inlineHookFunc;
}

Hook on FindClass and return nullptr for BaseDexClassLoader, so xposed is not detected. I tried on my app which use your module and works, I tried on real app which use your module and other checks, it detect the injected so and return JNI_ERR on load. I removed all native hooks and return JNI_ERR, I'm analyzing if I can hooks some functions, for now my first method is better than native hooks, pure java and not detect of SO.

[yujincheng08]

Actually, you can replace env->FindClass by simply env->functions->FindClass = &fake_FindClass;.