针对Xposed检测

• Android逆向之旅---破解某支付软件防Xposed等框架Hook功能检测机制
• 阿里系产品Xposed Hook检测机制原理分析
• 美团出品-Android Hook技术防范漫谈
• 看雪出品-企业壳反调试及hook检测分析
• 支付宝小专栏-无需 Root 也能使用 Xposed
• 抖音短视频检测 Xposed 分析（一）
• 抖音短视频检测 Xposed 分析（二）
• 检测Android虚拟机的方法和代码实现

针对Frida检测

针对ROOT环境检测

const commonPaths = [
    "/data/local/bin/su",
    "/data/local/su",
    "/data/local/xbin/su",
    "/dev/com.koushikdutta.superuser.daemon/",
    "/sbin/su",
    "/system/app/Superuser.apk",
    "/system/bin/failsafe/su",
    "/system/bin/su",
    "/system/etc/init.d/99SuperSUDaemon",
    "/system/sd/xbin/su",
    "/system/xbin/busybox",
    "/system/xbin/daemonsu",
    "/system/xbin/su",
  ];

var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
        "com.koushikdutta.superuser", "com.thirdparty.superuser", "com.yellowes.su", "com.koushikdutta.rommanager",
        "com.koushikdutta.rommanager.license", "com.dimonvideo.luckypatcher", "com.chelpus.lackypatch",
        "com.ramdroid.appquarantine", "com.ramdroid.appquarantinepro", "com.devadvance.rootcloak", "com.devadvance.rootcloakplus",
        "de.robv.android.xposed.installer", "com.saurik.substrate", "com.zachspong.temprootremovejb", "com.amphoras.hidemyroot",
        "com.amphoras.hidemyrootadfree", "com.formyhm.hiderootPremium", "com.formyhm.hideroot", "me.phh.superuser",
        "eu.chainfire.supersu.pro", "com.kingouser.com", "com.android.vending.billing.InAppBillingService.COIN","com.topjohnwu.magisk"
    ];

    var RootBinaries = ["su", "busybox", "supersu", "Superuser.apk", "KingoUser.apk", "SuperSu.apk","magisk"];

    var RootProperties = {
        "ro.build.selinux": "1",
        "ro.debuggable": "0",
        "service.adb.root": "0",
        "ro.secure": "1"
    };

但是就算是把这些都做了，也不一定会绕过root检测的app。

• https://github.com/sensepost/objection/blob/master/agent/src/android/root.ts
• https://codeshare.frida.re/@dzonerzy/fridantiroot/

frida -l antiroot.js -U -f com.example.app --no-pause