Java.perform(function () {function showStacks() {console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()));}Java.use("java.io.File").$init.overload("java.lang.String").implementation = function (str) {if (str.toLowerCase().endsWith("/su") || str.toLowerCase() == "su") {console.log("发现检测su文件");showStacks();}return this.$init(str);}Java.use("java.lang.Runtime").exec.overload("java.lang.String").implementation = function (str) {if (str.endsWith("/su") || str == "su") {console.log("发现尝试执行su命令的行为");showStacks();}return this.exec(str);}Java.use("java.lang.Runtime").exec.overload("[Ljava.lang.String;").implementation = function (stringArray) {for (var i = 0; i < stringArray.length; i++){if (stringArray[i].includes("su") || stringArray[i].includes("/su") || stringArray[i] == "su"){console.log("发现尝试执行su命令的行为");showStacks();break;}}return this.exec(stringArray);}Java.use("java.lang.ProcessBuilder").$init.overload("[Ljava.lang.String;").implementation = function (stringArray){for (var i = 0;i < stringArray.length; i++) {if (stringArray[i].includes("su") || stringArray[i].includes("/su") || stringArray[i] == "su") {console.log("发现尝试执行su命令的行为");showStacks();break;}}return this.$init(stringArray);}});
通关检测root打印堆栈来定位关键代码;
若有收获,就点个赞吧
0 人点赞
