From d0c436718094f475b88ab7976df8d9025f716d7e Mon Sep 17 00:00:00 2001 From: mahongyin <1976222027@qq.com> Date: Wed, 3 Mar 2021 18:02:36 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 481 +++++++++++++++++- apisecurity/src/main/AndroidManifest.xml | 12 +- .../java/cn/android/security/APISecurity.java | 112 ++-- .../java/cn/android/security/AppSigning.java | 54 +- .../cn/android/security/InitProvider.java | 115 +++++ app/src/main/AndroidManifest.xml | 2 +- app/src/main/cpp/apisecurity-lib.cpp | 137 +++-- .../cn/android/sample/HookApplication.java | 118 ----- .../java/cn/android/sample/MainActivity.java | 4 +- .../java/cn/android/sample/MyApplication.java | 229 +++++++++ .../drawable-v24/ic_launcher_foreground.xml | 34 -- .../res/mipmap-anydpi-v26/ic_launcher.xml | 5 - .../mipmap-anydpi-v26/ic_launcher_round.xml | 5 - app/src/main/res/mipmap-hdpi/ic_launcher.png | Bin 2963 -> 0 bytes .../res/mipmap-hdpi/ic_launcher_round.png | Bin 4905 -> 0 bytes app/src/main/res/mipmap-mdpi/ic_launcher.png | Bin 2060 -> 0 bytes .../res/mipmap-mdpi/ic_launcher_round.png | Bin 2783 -> 0 bytes .../main/res/mipmap-xxhdpi/ic_launcher.png | Bin 6387 -> 0 bytes .../res/mipmap-xxhdpi/ic_launcher_round.png | Bin 10413 -> 0 bytes .../main/res/mipmap-xxxhdpi/ic_launcher.png | Bin 9128 -> 0 bytes .../res/mipmap-xxxhdpi/ic_launcher_round.png | Bin 15132 -> 0 bytes jni属性签名.jpg | Bin 0 -> 7540 bytes 22 files changed, 1040 insertions(+), 268 deletions(-) create mode 100644 apisecurity/src/main/java/cn/android/security/InitProvider.java delete mode 100644 app/src/main/java/cn/android/sample/HookApplication.java create mode 100644 app/src/main/java/cn/android/sample/MyApplication.java delete mode 100644 app/src/main/res/drawable-v24/ic_launcher_foreground.xml delete mode 100644 app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml delete mode 100644 app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml delete mode 100644 app/src/main/res/mipmap-hdpi/ic_launcher.png delete mode 100644 app/src/main/res/mipmap-hdpi/ic_launcher_round.png delete mode 100644 app/src/main/res/mipmap-mdpi/ic_launcher.png delete mode 100644 app/src/main/res/mipmap-mdpi/ic_launcher_round.png delete mode 100644 app/src/main/res/mipmap-xxhdpi/ic_launcher.png delete mode 100644 app/src/main/res/mipmap-xxhdpi/ic_launcher_round.png delete mode 100644 app/src/main/res/mipmap-xxxhdpi/ic_launcher.png delete mode 100644 app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png create mode 100644 jni属性签名.jpg diff --git a/README.md b/README.md index 96e7b7f..46a4da1 100644 --- a/README.md +++ b/README.md @@ -62,4 +62,483 @@ Android API Security(.so),安卓APP/API安全加密so库,防二次打包, APISecurity.init(this)//验证三步走 1.验证签名是否符合自己预设 2.验证包名 - 3验证apk源文件签名信息 \ No newline at end of file + 3验证apk源文件签名信息 + + + +![jni属性签名](jni属性签名.jpg) +过以下命令就可以拿到指定类的所有属性、方法的签名了,很方便有木有?! +javap -s -p 完整类名 +descriptor就是我们需要的签名了,注意签名中末尾的分号不能省略 +方法签名的规律就是,括号不可以省略: +(参数类型签名)返回值类型签名 +C/C++访问Java的属性、方法 +有以下几种情况: + +访问Java类的非静态属性。 + +访问Java类的静态属性。 + +访问Java类的非静态方法。 + +访问Java类的静态方法。 + +间接访问Java类的父类的方法。 + +访问Java类的构造方法。 + +一、访问Java的非静态属性 +Java方法中,通过调用accessField,利用C修改静态属性 + +public String str = "Li lu"; + +//访问非静态属性str,修改它的值 +public native void accessField(); +C代码如下:(头文件可以不写,直接写实现) + +JNIEXPORT void JNICALL Java_com_test_JniTest_accessField +(JNIEnv * env, jobject jobj){ + + //通过对象拿到Class + jclass clz = (*env)->GetObjectClass(env, jobj); + //拿到对应属性的ID + jfieldID fid = (*env)->GetFieldID(env, clz, "str", "Ljava/lang/String;"); + //通过属性ID拿到属性的值 + jstring jstr = (*env)->GetObjectField(env, jobj, fid); + + //通过Java字符串拿到C字符串,第三个参数是一个出参,用来告诉我们GetStringUTFChars内部是否复制了一份字符串 + //如果没有复制,那么出参为isCopy,这时候就不能修改字符串的值了,因为Java中常量池中的字符串是不允许修改的(但是jstr可以指向另外一个字符串) + char* cstr = (*env)->GetStringUTFChars(env, jstr, NULL); + //在C层修改这个属性的值 + char res[20] = "I love you : "; + strcat(res, cstr); + + //重新生成Java的字符串,并且设置给对应的属性 + jstring jstr_new = (*env)->NewStringUTF(env, res); + (*env)->SetObjectField(env, jobj, fid, jstr_new); + + //最后释放资源,通知垃圾回收器来回收 + //良好的习惯就是,每次GetStringUTFChars,结束的时候都有一个ReleaseStringUTFChars与之呼应 + (*env)->ReleaseStringUTFChars(env, jstr, cstr); +} +最后在Java中测试: + +public static void main(String[] args) { + + JniTest test = new JniTest(); + System.out.println(test.str); + //修改非静态属性str + test.accessField(); + System.out.println(test.str); + +} +二、访问Java的静态属性 +Java代码如下: + +//访问静态属性NUM,修改它的值 +public static int NUM = 1; + +public native void accessStaticField(); +C代码如下: + +JNIEXPORT void JNICALL Java_com_test_JniTest_accessStaticField +(JNIEnv * env, jobject jobj){ + //与上面类似,只不过是某些方法需要加上Static + jclass clz = (*env)->GetObjectClass(env, jobj); + jfieldID fid = (*env)->GetStaticFieldID(env, clz, "NUM", "I"); + jint jInt = (*env)->GetStaticIntField(env, clz, fid); + jInt++; + (*env)->SetStaticIntField(env, clz, fid, jInt); +} +最后在Java中测试: + +public static void main(String[] args) { + + JniTest test = new JniTest(); + System.out.println(NUM); + test.accessStaticField(); + System.out.println(NUM); + +} +三、访问Java的非静态方法 +Java代码如下,通过调用accessMethod,在底层用C语言调用genRandomInt方法 + +//产生指定范围的随机数 +public int genRandomInt(int max){ + System.out.println("genRandomInt 执行了...max = "+ max); + return new Random().nextInt(max); +} + +public native void accessMethod(); +C代码如下: + +JNIEXPORT void JNICALL Java_com_test_JniTest_accessMethod +(JNIEnv * env, jobject jobj){ + jclass clz = (*env)->GetObjectClass(env, jobj); + //拿到方法的ID,最后一个参数是方法的签名 + jmethodID mid = (*env)->GetMethodID(env, clz, "genRandomInt", "(I)I"); + //调用该方法,最后一个是可变参数,就是调用该方法所传入的参数 + //套路是如果返回是:Call返回类型Method + jint jInt = (*env)->CallIntMethod(env, jobj, mid, 100); + printf("output from C : %d", jInt); +} +最后在Java中测试: + +public static void main(String[] args) { + + JniTest test = new JniTest(); + test.accessMethod(); + +} +四、访问Java的静态方法 +Java代码如下,通过调用accessStaticMethod,在底层用C语言调用getUUID方法 + +public native void accessStaticMethod(); + +//产生UUID字符串 +public static String getUUID(){ + System.out.println("getUUID 执行了..."); + return UUID.randomUUID().toString(); +} +C代码如下: + +JNIEXPORT void JNICALL Java_com_test_JniTest_accessStaticMethod +(JNIEnv * env, jobject jobj){ + jclass clz = (*env)->GetObjectClass(env, jobj); + jmethodID mid = (*env)->GetStaticMethodID(env, clz, "getUUID", "()Ljava/lang/String;"); + + //调用java的静态方法,拿到返回值 + jstring jstr = (*env)->CallStaticObjectMethod(env, clz, mid); + + //把拿到的Java字符串转换为C的字符串 + char* cstr= (*env)->GetStringUTFChars(env, jstr, NULL); + + //后续操作,产生以UUID为文件名的文件 + char fielName[100]; + sprintf(fielName, "D:\\%s.txt", cstr); + FILE* f = fopen(fielName, "w"); + fputs(cstr, f); + fclose(f); + + printf("output from C : File had saved", jstr); +} +最后在Java中测试: + +public static void main(String[] args) { + + JniTest test = new JniTest(); + test.accessStaticMethod(); + +} +五、间接访问Java类的父类的方法 +Java代码如下: + +父类: + +package com.test; + +public class Human { + protected void speek() { + System.out.println("Human Speek"); + } +} +子类: + +package com.test; + +public class Man extends Human { + @Override + protected void speek() { + // 可以通过super关键字来访问父类的方法 + // super.speek(); + System.out.println("Man Speek"); + } +} +在TestJni类中有Human属性: + +//父类的引用指向子类的对象 +Human man= new Man(); + +public native void accessNonvirtualMethod(); +如果是直接使用man.speek()的话,访问的是子类Man的方法 +但是通过底层C的方式可以间接访问到父类Human的方法,跳过子类的实现,甚至你可以直接哪个父类(如果父类有多个的话),这是Java做不到的。 + +下面是C代码实现,无非就是属性和方法的访问: + +JNIEXPORT void JNICALL Java_com_test_JniTest_accessNonvirtualMethod +(JNIEnv * env, jobject jobj){ + //先拿到属性man + jclass clz=(*env)->GetObjectClass(env, jobj); + jfieldID fid = (*env)->GetFieldID(env, clz, "man", "Lcom/test/Human;"); + jobject man = (*env)->GetObjectField(env, jobj, fid); + + //拿到父类的类,以及speek的方法id + jclass clz_human = (*env)->FindClass(env, "com/test/Human"); + jmethodID mid = (*env)->GetMethodID(env, clz_human, "speek", "()V"); + + //调用自己的speek实现 + (*env)->CallVoidMethod(env, man, mid); + //调用父类的speek实现 + (*env)->CallNonvirtualVoidMethod(env, man, clz_human, mid); +} +当有这个类的对象的时候,使用(*env)->GetObjectClass(),相当于Java中的test.getClass() + +当有没有这个类的对象的时候,(*env)->FindClass(),相当于Java中的Class.forName("com.test.TestJni") + +这里直接使用CallVoidMethod,虽然传进去的是父类的Method ID,但是访问的让然是子类的实现。 + +最后,通过CallNonvirtualVoidMethod,访问不覆盖的父类方法(C++使用virtual关键字来覆盖父类的实现),当然你也可以指定哪个父类(如果有多个父类的话)。 + +最后在Java中测试: + +public static void main(String[] args) { + + JniTest test = new JniTest(); + //这时候是调用子类Man的方法 + test.man.speek(); + //但是通过JNI的方式,可以访问到父类的speek方法 + test.accessNonvirtualMethod(); + +} +六、访问Java类的构造方法 +Java代码如下,通过调用accessConstructor,在底层用C语言调用java.util.Date产生一个当前的时间戳,并且返回。 + +//调用Date的构造函数 +public native long accessConstructor(); +C代码如下: + +JNIEXPORT jlong JNICALL Java_com_test_JniTest_accessConstructor +(JNIEnv * env, jobject jobj){ + + jclass clz_date = (*env)->FindClass(env, "java/util/Date"); + //构造方法的函数名的格式是: + //不能写类名,因为构造方法函数名都一样区分不了,只能通过参数列表(签名)区分 + jmethodID mid_Date = (*env)->GetMethodID(env, clz_date, "", "()V");; + + //调用构造函数 + jobject date = (*env)->NewObject(env, clz_date, mid_Date); + + //注意签名,返回值long的属性签名是J + jmethodID mid_getTime= (*env)->GetMethodID(env, clz_date, "getTime", "()J"); + //调用getTime方法 + jlong jtime = (*env)->CallLongMethod(env, date, mid_getTime); + + return jtime; +} +最后在Java中测试: + +public static void main(String[] args) { + + JniTest test = new JniTest(); + //直接在Java中构造Date然后调用getTime + Date date = new Date(); + System.out.println(date.getTime()); + //通过C语音构造Date然后调用getTime + long time = test.accessConstructor(); + System.out.println(time); + +} +总结 +属性、方法的访问的使用是和Java的反射API类似的。 + +综合进阶案例——JNI返回中文乱码问题 +测试乱码问题: + +public native void testChineseIn(String chinese);//传进去 +public native String testChineseOut();//取出来会乱码 + +public static void main(String[] args) { + + //传中文进去,然后转为C字符串,直接在C层输出是没有问题的 + JniTest test = new JniTest(); + test.testChineseIn("我爱你"); + //C层将C字符串转换为JavaString然后输出,就会乱码 + System.out.println(test.testChineseOut()); + +} +C代码如下: + +JNIEXPORT void JNICALL Java_com_test_JniTest_testChineseIn +(JNIEnv * env, jobject jobj, jstring chinese){ + + char* c_chinese = (*env)->GetStringUTFChars(env, chinese, NULL); + printf("%s", c_chinese); +} + +JNIEXPORT jstring JNICALL Java_com_test_JniTest_testChineseOut +(JNIEnv * env, jobject jobj){ + + char* c_str = "我爱你"; + jstring j_str = (*env)->NewStringUTF(env, c_str); + return j_str; +} +结果输出,其中第一条是C返回的乱码,第二条是传进去在C层打印的结果: + +ÎҰ®Ä +我爱你 +可以看到C执行的速度要比Java快。 +原因分析,调用NewStringUTF的时候,产生的是UTF-16的字符串,但是我们需要的时候UTF-8字符串。 +解决办法,通过Java的String类的构造方法来进行字符集变换。 + +JNIEXPORT jstring JNICALL Java_com_test_JniTest_testChineseOut +(JNIEnv * env, jobject jobj){ + + //需要返回的字符串 + char* c_str = "我爱你"; + //jstring j_str = (*env)->NewStringUTF(env, c_str); + + //通过调用构造方法String string = new String(byte[], charsetName);来解决乱码问题 + + //0.找到String类 + jclass clz_String = (*env)->FindClass(env, "java/lang/String"); + jmethodID mid = (*env)->GetMethodID(env, clz_String, "", "([BLjava/lang/String;)V"); + + //准备new String的参数:byte数组以及字符集 + //1.创建字节数组,并且将C的字符串拷贝进去 + jbyteArray j_byteArray = (*env)->NewByteArray(env, strlen(c_str)); + (*env)->SetByteArrayRegion(env, j_byteArray, 0, strlen(c_str), c_str); + //2.创建字符集的参数,这里用Windows的more字符集GB2312 + jstring charsetName = (*env)->NewStringUTF(env, "GB2312"); + + //调用 + jstring j_new_str = (*env)->NewObject(env, clz_String, mid, j_byteArray, charsetName); + return j_new_str; + +} +原文链接:http://www.apkbus.com/blog-0-65619.html + + + + +SystemProperties.getInt("ro.build.version.sdk", 0); +Build.VERSION.SDK_INT > Build.VERSION_CODES.Q +###C++代码取Android系统版本号: +``` +#include +#include + +#include + +// 日志打印 +#include +#define LOG_TAG "TAG_LOG" +#define LOGI(...) __android_log_print(ANDROID_LOG_INFO, LOG_TAG, __VA_ARGS__) + +versionI() { + // 1. 获取 SDK 版本号 , 存储于 C 字符串 sdk_verison_str 中 + char sdk[128] = "0"; + + // 获取版本号方法 + __system_property_get("ro.build.version.sdk", sdk); + + //将版本号转为 int 值 + int sdk_verison = atoi(sdk); +} + + # begin build properties (开始设置系统性能) + # autogenerated (通过设置形成系统信息) + ro.=GRI40 (版本ID) + ro.build.=GRJ22 (版本号) + ro.build.version.incremental=eng.buildbot.20110619.060228 (版本增量) + ro.build.version.sdk=10 (sdk版本) + ro.build.version.codename=REL (版本代号) + ro.build.version.release=2.3.4 (Android 2.3.4系统) + ro.build.date=Sun Jun 19 06:02:58 UTC 2011 (制作者及制作时间) + ro.build.date.utc=0 + ro.build.type=user (编译模式,如user,userdebug,eng,test模式) + ro.build.user=buildbot (编译账户) + ro.build.host=bb1 (编译主机系统) + ro.build.tags=test-keys (编译标签) + ro.product.model=HTC Wildfire (HTC内部手机代号) + ro.product.brand=htc_wwe (手机品牌) + ro.product.name=htc_buzz (手机正式名称) + ro.product.device=buzz (采用的设备) + ro.product.board=buzz (采用的处理器) + ro.product.cpu.abi=armeabi-v6j (cpu的版本) + ro.product.cpu.abi2=armeabi (cpu的品牌) + ro.product.manufacturer=HTC (手机制造商) + ro.product.locale.language=zh (手机默认语言) + ro.product.locale.region=CN (地区语言) + ro.wifi.channels= (WIFI连接的渠道) + ro.board.platform=msm7k (主板平台) + # ro.build.product is obsolete; use ro.product.device (旧代码ro.build.product,使用代码ro.product.device) + ro.build.product=buzz (建立产品) + # Do not try to parse ro.build.description or .fingerprint (不要试图修改description和fingerprint) + ro.build.description=passion-user 2.3.3 GRI40 102588 release-keys (用户的KEY) + ro.build.fingerprint=google/passion/passion:2.3.3/GRI40/102588:user/release-keys (系统指纹) + # end build properties (性能代码完毕) + # + # system.prop for buzz (系统技术支持由BUZZ提供) + # + # Density in DPI of the LCD of this board. This is used to scale the UI (高密度的液晶的DPI板。这是用来大规模UI的) + # appropriately. If this property is not defined, the default value is 160 dpi. (appropriately.如果这个属性没有定义,缺省值是160 dpi的分辨率) + ro.sf.lcd_density=240 (显示屏分辨率,数值越大分辨率越底,240就是800*480的) + # View configuration for QVGA. (屏幕的设置) + view.fading_edge_length=8 + view.touch_slop=15 (触摸屏灵敏度,数值越大越灵敏) + view.minimum_fling_velocity=25 (滑动速度) + view.scroll_friction=0.008 (滑动误差) + # RIL specific configuration. (特定设置) + rild.libpath=/system/lib/libhtc_ + ro.ril.ecc.HTC-WWE=999 + ro.ril.ecc.HTC-ELL=92,93,94 + ro.ril.enable.a52.HTC-ITA=1 + ro.ril.enable.a53.HTC-ITA=1 + ro.ril.enable.a52=0 + ro.ril.enable.a53=1 + ro.ril.vmail.23415=1571,BT + ro.ril.hsdpa.category=8 (hsdpa全称High Speed Downlink Packet Access中文意思:高速下行分组接入,设置的数越大传输越快) + ro.ril.htcmaskw1.bitmask=429496 + ro.ril.htcmaskw1=14449 + ro.ril.def.agps.mode=2 (打开AGPS服务支持,可改为ro.ril.def.agps.mode=0 改后能省电但GPS定位速度会变慢) + ro.ril.gprsclass=12 (GPRS设置) + # For HSDPA low throughput (HSDPA低输量) + ro.ril.disable.power.collapse=1 (关闭电源) + # Modify MMS APN retry timer from 5s to 2s. (修改短信的APN设置5秒为2秒) + ro.gsm.2nd_data_retry_config=max_retries=3, 2000, 2000, 2000 + # Time between scans in seconds. Keep it high to minimize battery drain.(扫描在几秒之内,可降低用电量) + # This only affects the case in which there are remembered access points, (这个修改仅能影响此文件) + # but none are in range.(但是没有一项是在范围内的) + wifi.interface=eth0 (WIFI界面) + wifi.supplicant_scan_interval=45 (WIFI扫描间隔时间,这里设置是45秒。把这个时间设置长点能省电) + # Mobile data interfaces (移动数据的接口) + mobiledata.interfaces=rmnet0,rmnet1,rmnet2 + # Allow or deny tethering. (允许和拒绝绑定) + ro.tether.denied=false + # Default network type. (默认的网络类型) + # 0 => WCDMA Preferred. (0=WCDMA优先) + ro.telephony.default_network=0 + # Enable Google-specific location features, (谷歌特定地点的设置) + # like NetworkLocationProvider and LocationCollector.(如网络服务器提供商和服务器位置) + ro.c o m.google.locationfeatures=1 + # The OpenGL ES API level that is natively supported by this device. (开放式绘图介面) + # This is a 16.16 fixed point number. (界面有16个点,16个不动点数量) + ro.opengles.version=65536 (开放式绘图介面参数) + # Disable fs check on boot by default. (开机时默认禁用FS检查) + sys.checkfs.fat=false + # Performance settings. (性能设置) + dalvik.vm.execution-mode=int:jit + dalvik.vm.heapsize=24m (虚拟内存大小,可设置为16m或24m或32m或48m) + persist.sys.use_dithering=1 + persist.sys.purgeable_assets=1 + # Increase SKIA decode memory capability for progressive jpg file. + ro.media.dec.jpeg.memcap=20000000 + # + # ADDITIONAL_BUILD_PROPERTIES (其他性能设置) + no_require_sim=true (手机卡保护设置) + ro.rommanager.developerid=cyanogenmodnightly (固件管理器开发者是CM大神) + ro.url.legal=http://www./intl/%s/mobile/android/basic/phone-legal.html + ro.url.legal.android_privacy=http://www]/intl/%s/mobile/android/basic/privacy.html + ro. com.google.clientidbase=android-google (谷歌客户身份) + ro. com.android.wifi-watchlist=GoogleGuest (WIFI用户名单) + ro.setupwizard.enterprise_mode=1 (默认情景模式) + ro. com.android.dateformat=MM-dd-yyyy (默认时间格式,改为yyyy-MM-dd,显示效果就是XXXX年XX月XX日) + ro. com.android.dataroaming=false (漫游设置) + ro.config.ringtone=Playa.ogg (默认铃声设置,文件在/system/media/audio/ringtones 把喜欢的铃声放这里,比如123. MP3放入ringtones文件夹中,这里代码改为ro.config.ringtone=123. mp3) + ro.config.notification_sound=regulus.ogg (默认提示音,文件在/system/media/audio/notifications 修改方法同上) + ro.config.alarm_alert=Alarm_Beep_03.ogg (默认闹铃,文件在/system/media/audio/alarms 修改方法同上) + ro.modversion=CyanogenMod-7-06192011-NIGHTLY-buzz (版本信息,改这个能让你大名出现系统关于中,改为ro.modversion=xxxxx) + ro.setupwizard.mode=OPTIONAL (安装向导模式) + net. bt. name=Android (系统名称) + dalvik.vm.stack-trace-file=/data/anr/traces.txt +``` \ No newline at end of file diff --git a/apisecurity/src/main/AndroidManifest.xml b/apisecurity/src/main/AndroidManifest.xml index f9e4db6..1effb2e 100644 --- a/apisecurity/src/main/AndroidManifest.xml +++ b/apisecurity/src/main/AndroidManifest.xml @@ -1,4 +1,14 @@ + package="cn.android.security"> + + + + + diff --git a/apisecurity/src/main/java/cn/android/security/APISecurity.java b/apisecurity/src/main/java/cn/android/security/APISecurity.java index acda096..9fbaf8f 100644 --- a/apisecurity/src/main/java/cn/android/security/APISecurity.java +++ b/apisecurity/src/main/java/cn/android/security/APISecurity.java @@ -1,5 +1,6 @@ package cn.android.security; +import android.annotation.SuppressLint; import android.content.Context; import android.content.pm.ApplicationInfo; import android.content.pm.PackageInfo; @@ -21,6 +22,7 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.lang.reflect.Constructor; import java.lang.reflect.Field; +import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -49,15 +51,15 @@ public class APISecurity { * 被Native调用的Java方法 */ public void javaMethod(String msg) { - Log.e("错误代码", msg); + Log.e("mhyLog错误代码", msg); // System.exit(1); } public static void verify(Context context) { - Log.e("mhyLog", "hash"+AppSigning.getSignatureHash(context)); - runCommand(); - Log.e("包路径文件签名", getApkSignatures(context, context.getPackageName())); - Log.e("已安装APP签名", getInstalledAPKSignature(context, context.getPackageName())); + Log.e("mhyLog", "hash:"+AppSigning.getSignatureHash(context)); + //runCommand(); + Log.e("mhyLog包文件签名", getApkSignatures(context,context.getPackageName())); + Log.e("mhyLog已安装签名", getInstalledAPKSignature(context, context.getPackageName())); //通过获取其他应用的签名 如果一样那么被hook了 } @@ -67,7 +69,7 @@ public class APISecurity { public static String getInstalledAPKSignature(Context context, String packageName) { PackageManager pm = context.getPackageManager(); try { - if (Build.VERSION.SDK_INT > Build.VERSION_CODES.P) { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) { PackageInfo appInfo = pm.getPackageInfo(packageName.trim(), PackageManager.GET_SIGNING_CERTIFICATES); if (appInfo == null || appInfo.signingInfo == null) return ""; @@ -86,47 +88,91 @@ public class APISecurity { /** 防破签名 2 * C调用Java 从源安装文件获取签名信息 + * 有bug * */ public static String getApkSignatures(Context context, String packname) { - String sign = ""; - String path = null; -// try {//获取此包安装路径 -// //第一种方法 -// ApplicationInfo applicationInfo = context.getPackageManager().getApplicationInfo(packname, 0); -// path = applicationInfo.sourceDir; -// //第二种方法 -//// ApplicationInfo applicationInfo = context.getPackageManager().getPackageInfo(packname, PackageManager.GET_META_DATA).applicationInfo; -//// path = applicationInfo.publicSourceDir;//sourceDir; // 获取当前apk包的绝对路径 -// Log.e("其他已知包名apk的安装路径", applicationInfo.sourceDir+ "&---&" + applicationInfo.publicSourceDir); -// } catch (PackageManager.NameNotFoundException e) { -// e.printStackTrace(); -// //第三中方法 -// path=context.getPackageResourcePath(); -// Log.e("在apk中获取自身安装路径", path); -// } + String path=""; + if (!TextUtils.isEmpty(packname)) { + try {//获取此包安装路径 + //第一种方法 + ApplicationInfo applicationInfo = context.getPackageManager().getApplicationInfo(packname, 0); + path = applicationInfo.sourceDir; + //第二种方法 +// ApplicationInfo applicationInfo = context.getPackageManager().getPackageInfo(packname, PackageManager.GET_META_DATA).applicationInfo; +// path = applicationInfo.publicSourceDir;//sourceDir; // 获取当前apk包的绝对路径 +// Log.e("mhyLog其他已知包名apk的安装路径", applicationInfo.sourceDir + "&---&" + applicationInfo.publicSourceDir); + } catch (PackageManager.NameNotFoundException e) { + e.printStackTrace(); + //第三中方法 +// path = context.getPackageResourcePath(); + path= context.getApplicationInfo().sourceDir; +// Log.e("mhyLOg在apk中获取自身安装路径", path); + } + }else { //第三中方法 - path=context.getPackageResourcePath(); - // Log.e("在apk中获取自身安装路径", path); +// path= context.getApplicationInfo().sourceDir; + path=context.getPackageResourcePath(); + } File apkFile = new File(path); - if (apkFile != null && apkFile.exists()) { - Log.e("包安装路径", apkFile.getAbsolutePath()); + if (apkFile.exists()) { + Log.e("mhyLog包安装路径", apkFile.getAbsolutePath()); PackageManager pm = context.getPackageManager(); - if (Build.VERSION.SDK_INT > Build.VERSION_CODES.P) { + if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.P) { PackageInfo pkgInfo = pm.getPackageArchiveInfo(apkFile.getAbsolutePath(), PackageManager.GET_SIGNING_CERTIFICATES); - if (pkgInfo != null && pkgInfo.signingInfo != null && pkgInfo.signingInfo.getApkContentsSigners().length > 0) { - sign = AppSigning.getSignatureString(pkgInfo.signingInfo.getApkContentsSigners(), AppSigning.SHA1); + if (pkgInfo != null && pkgInfo.signingInfo != null) { + return AppSigning.getSignatureString(pkgInfo.signingInfo.getApkContentsSigners(), AppSigning.SHA1); } } else { PackageInfo pkgInfo = pm.getPackageArchiveInfo(apkFile.getAbsolutePath(), PackageManager.GET_SIGNATURES); - if (pkgInfo != null && pkgInfo.signatures != null && pkgInfo.signatures.length > 0) { - sign = AppSigning.getSignatureString(pkgInfo.signatures, AppSigning.SHA1); + if (pkgInfo != null && pkgInfo.signatures != null) { + return AppSigning.getSignatureString(pkgInfo.signatures, AppSigning.SHA1); } } } - return sign; + return ""; } + /** + * 手动构建 Context + */ + @SuppressLint({"DiscouragedPrivateApi","PrivateApi"}) + public static Context createContext() throws ClassNotFoundException, + NoSuchMethodException, + InvocationTargetException, + IllegalAccessException, + NoSuchFieldException, + NullPointerException{ + // 反射获取 ActivityThread 的 currentActivityThread 获取 mainThread + Class activityThreadClass = Class.forName("android.app.ActivityThread"); + Method currentActivityThreadMethod = + activityThreadClass.getDeclaredMethod("currentActivityThread"); + currentActivityThreadMethod.setAccessible(true); + Object mainThreadObj = currentActivityThreadMethod.invoke(null); + + // 反射获取 mainThread 实例中的 mBoundApplication 字段 + Field mBoundApplicationField = activityThreadClass.getDeclaredField("mBoundApplication"); + mBoundApplicationField.setAccessible(true); + Object mBoundApplicationObj = mBoundApplicationField.get(mainThreadObj); + + // 获取 mBoundApplication 的 packageInfo 变量 + if (mBoundApplicationObj == null) throw new NullPointerException("mBoundApplicationObj 反射值空"); + Class mBoundApplicationClass = mBoundApplicationObj.getClass(); + Field infoField = mBoundApplicationClass.getDeclaredField("info"); + infoField.setAccessible(true); + Object packageInfoObj = infoField.get(mBoundApplicationObj); + + // 反射调用 ContextImpl.createAppContext(ActivityThread mainThread, LoadedApk packageInfo) + if (mainThreadObj == null) throw new NullPointerException("mainThreadObj 反射值空"); + if (packageInfoObj == null) throw new NullPointerException("packageInfoObj 反射值空"); + Method createAppContextMethod = Class.forName("android.app.ContextImpl").getDeclaredMethod( + "createAppContext", + mainThreadObj.getClass(), + packageInfoObj.getClass()); + createAppContextMethod.setAccessible(true); + return (Context) createAppContextMethod.invoke(null, mainThreadObj, packageInfoObj); + + } //需要读取应用列表权限 public void getAppList(Context context) { @@ -146,8 +192,6 @@ public class APISecurity { /** * 通过指令获取已安装的包 - * - * @return */ private static ArrayList runCommand() { list.clear(); diff --git a/apisecurity/src/main/java/cn/android/security/AppSigning.java b/apisecurity/src/main/java/cn/android/security/AppSigning.java index 0986050..124a5ae 100644 --- a/apisecurity/src/main/java/cn/android/security/AppSigning.java +++ b/apisecurity/src/main/java/cn/android/security/AppSigning.java @@ -6,6 +6,7 @@ import android.content.pm.PackageInfo; import android.content.pm.PackageManager; import android.content.pm.Signature; import android.os.Build; +import android.util.Base64; import android.util.DisplayMetrics; import android.util.Log; @@ -54,29 +55,31 @@ public class AppSigning { * 获取相应的类型的签名信息(把签名的byte[]信息转换成16进制) */ public static String getSignatureString(Signature[] sigs, @SigniType String type) { - for (Signature sig : sigs) { - Log.e("mhyLog","getSignatureString:"+sig.toCharsString()); - } - byte[] hexBytes = sigs[0].toByteArray(); String fingerprint = "error!"; - try { - StringBuffer buffer = new StringBuffer(); - MessageDigest digest = MessageDigest.getInstance(type); - if (digest != null) { - digest.reset(); - digest.update(hexBytes); - byte[] byteArray = digest.digest(); - for (int i = 0; i < byteArray.length; i++) { - if (Integer.toHexString(0xFF & byteArray[i]).length() == 1) { - buffer.append("0").append(Integer.toHexString(0xFF & byteArray[i])); //补0,转换成16进制 - } else { - buffer.append(Integer.toHexString(0xFF & byteArray[i]));//转换成16进制 - } - } - fingerprint = buffer.toString().toLowerCase()/*.toUpperCase()*/; //转换成大写 + if (sigs.length>0) { + for (Signature sig : sigs) { + Log.e("mhyLog", "Signature64:" + Base64.encodeToString(sig.toCharsString().getBytes(),Base64.DEFAULT)); + } + byte[] hexBytes = sigs[0].toByteArray(); + try { + StringBuffer buffer = new StringBuffer(); + MessageDigest digest = MessageDigest.getInstance(type); + if (digest != null) { + digest.reset(); + digest.update(hexBytes); + byte[] byteArray = digest.digest(); + for (int i = 0; i < byteArray.length; i++) { + if (Integer.toHexString(0xFF & byteArray[i]).length() == 1) { + buffer.append("0").append(Integer.toHexString(0xFF & byteArray[i])); //补0,转换成16进制 + } else { + buffer.append(Integer.toHexString(0xFF & byteArray[i]));//转换成16进制 + } + } + fingerprint = buffer.toString().toLowerCase()/*.toUpperCase()*/; //转换成大写 + } + } catch (NoSuchAlgorithmException e) { + e.printStackTrace(); } - } catch (NoSuchAlgorithmException e) { - e.printStackTrace(); } return fingerprint; } @@ -168,10 +171,11 @@ public class AppSigning { return str.toString(); } - /** 防破签名 3 使原生检测签名不被hook 助力防破签名1而存在 + /** 防破签名 3 使原生检测签名能获取真实值 助力防破签名1而存在 * 通过重置PackageManager防止getPackageInfo方法被代理设置 * 亲测MT管理器(当前2.9.1)的一键去签名校验(包括加强版)无效! * 当然如果别人反编译把代码删除的话那就没办法了 + * getBaseContext() */ public static void resetPackageManager(Context baseContext) { try { @@ -207,7 +211,7 @@ public class AppSigning { * 检测 PackageManager 代理 */ @SuppressLint("PrivateApi") - private boolean checkPMProxy(Context context){ + public static boolean checkPMProxy(Context context){ String truePMName = "android.content.pm.IPackageManager$Stub$Proxy"; String nowPMName = ""; try { @@ -227,7 +231,9 @@ public class AppSigning { /** 防破签名 2 * 安装路径获取签名 + * PackageParser 28新api */ + @SuppressLint("PrivateApi") public static String getAPKSignatures(String apkPath) { String PATH_PackageParser = "android.content.pm.PackageParser"; try { @@ -252,7 +258,7 @@ public class AppSigning { Object pkgParserPkg = pkgParser_parsePackageMtd.invoke(pkgParser, new File(apkPath), PackageManager.GET_SIGNATURES); if (Build.VERSION.SDK_INT >= 28) { - Method pkgParser_collectCertificatesMtd = pkgParserCls.getDeclaredMethod("collectCertificates", pkgParserPkg.getClass(), Boolean.TYPE); + Method pkgParser_collectCertificatesMtd = pkgParserCls.getDeclaredMethod("collectCertificates", pkgParserPkg.getClass(), Boolean.TYPE);//true skipVerify pkgParser_collectCertificatesMtd.invoke(pkgParser, pkgParserPkg, Build.VERSION.SDK_INT > 28); // Method pkgParser_collectCertificatesMtd = pkgParserCls.getDeclaredMethod("collectCertificates", pkgParserPkg.getClass(), Boolean.TYPE); diff --git a/apisecurity/src/main/java/cn/android/security/InitProvider.java b/apisecurity/src/main/java/cn/android/security/InitProvider.java new file mode 100644 index 0000000..0a1fb66 --- /dev/null +++ b/apisecurity/src/main/java/cn/android/security/InitProvider.java @@ -0,0 +1,115 @@ +/* + * Copyright (c) 2020-2021. 安卓 + * FileName: ${NAME} + * Author: ${USER} + * Date: ${DATE} ${TIME} + * Description: ${DESCRIPTION} + * History: + *