内容纲要
恶意样本
反模拟器机制
该程序经分析,发现对设备硬件进行了读取,如果存在模拟器的特征,则退出程序
ro.hardware
ro.hardware值设置是在/system/core/init.c中实现的,其通过hardware来赋值,hardware首先被/proc/cpuinfo赋值,然后会检测comandline。
ro.build.flavor
ro.product.model
ro.product.model
ro.product.manufacturer
ro.product.board
ro.board.platform
gsm.version.baseband
others
getProperty
反射,可以通过此获取系统属性
sensorManager
获取传感器的一些信息,可以通过此来判断一些低级的模拟器
基于恶意样本写的模拟器识别
//模拟器检测,大多数的沙箱和模拟器可以检测出
package com.example.emulatordetection;
import androidx.appcompat.app.AppCompatActivity;
import android.content.Context;
import android.hardware.SensorManager;
import android.os.Bundle;
import android.text.TextUtils;
import android.util.Log;
import android.widget.Toast;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.lang.reflect.Method;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
public class MainActivity extends AppCompatActivity implements EmulatorCheckCallback {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
checkEmulator(MainActivity.this,MainActivity.this);
}
private boolean checkEmulator(Context acvtivity_context,EmulatorCheckCallback activity_callback){
if(acvtivity_context!=null&&activity_callback!=null){
checkFeaturesByHardware();
checkFeaturesByFlavor();
checkFeaturesByModel();
checkFeaturesByManufacturer();
checkFeaturesByBoard();
checkFeaturesByPlatform();
checkFeaturesByBaseBand();
checkSensorNumber(acvtivity_context);
checkCameraFlash(acvtivity_context);
checkCamera(acvtivity_context);
checkBluetooth(acvtivity_context);
checkLightSensor(acvtivity_context);
checkFeaturesByCgroup();
checkAppNumber();
}
return false;
}
private void checkFeaturesByHardware(){
CheckResult hardware;
String type = this.getProperty("ro.hardware");
int flag = 0;
if(type == null) {
hardware=new CheckResult(0, null); // result,value
}
String type_low = type.toLowerCase();
int result_return = 1;
switch(type_low.hashCode()) {
case 937844646: {
if(type_low.equals("android_x86")) {
flag = 6;
break;
}
flag=-1;
break;
}
case -1367724016: {
if(!type_low.equals("cancro")) {
flag=-1;
break;
}
flag = 2;
break;
}
case -822798509: {
if(!type_low.equals("vbox86")) {
flag=-1;
break;
}
flag = 5;
break;
}
case 109271: {
if(!type_low.equals("nox")) {
flag=-1;
break;
}
flag = 1;
break;
}
case 3570999: {
if(!type_low.equals("ttvm")) {
flag=-1;
break;
}
break;
}
case 3613077: {
if(!type_low.equals("vbox")) {
flag=-1;
break;
}
flag = 4;
break;
}
case 100361430: {
if(!type_low.equals("intel")) {
flag=-1;
break;
}
flag = 3;
break;
}
default: {
flag=-1;
break;
}
}
switch(flag) {
case 0:
case 1:
case 2:
case 3:
case 4:
case 5:
case 6: {
break;
}
default: {
result_return = 2;
break;
}
}
hardware=new CheckResult(result_return, type); // result,value
int hardware_result=hardware.result;
if(hardware_result==0){
hardware_result=1;
}else if(hardware_result!=1){
hardware_result=0;
}else{
Toast.makeText(this, "Hardware not found.\r\n", Toast.LENGTH_SHORT).show();
}
}
private void checkFeaturesByFlavor(){
String value=this.getProperty("ro.build.flavor");
CheckResult flavor;
if(value==null) flavor=new CheckResult(0,null);
String value_low=value.toLowerCase();
int result=1;
if(value_low.contains("vbox")) ;
else if(value_low.contains("sdk_gphone")) ;
else result=2;
flavor=new CheckResult(result,value);
if(flavor.result==1){
Toast.makeText(this, "Flavor not found.\r\n", Toast.LENGTH_SHORT).show();
}
}
private void checkFeaturesByModel(){
String value=this.getProperty("ro.product.model");
CheckResult model;
if(value==null) model=new CheckResult(0,null);
String value_low = value.toLowerCase();
int result=1;
if(value_low.contains("google_sdk")) ;
else if(value_low.contains("emulator")) ;
else if(value_low.contains("android sdk built for x86")) ;
else {
result=2;
}
model=new CheckResult(result,value);
if(model.result==1){
Toast.makeText(this, "Model not found.\r\n", Toast.LENGTH_SHORT).show();
}
}
private void checkFeaturesByManufacturer(){
String value=this.getProperty("ro.product.manufacturer");
CheckResult manufacturer;
if(value==null) manufacturer=new CheckResult(0,null);
String value_low = value.toLowerCase();
int result=1;
if(value_low.contains("genymotion")) ;
else if(value_low.contains("netease")) ;
else result=2;
manufacturer=new CheckResult(result,value);
if(manufacturer.result==1){
Toast.makeText(this, "Manufacturer not found.\r\n", Toast.LENGTH_SHORT).show();
}
}
private void checkFeaturesByBoard(){
String value=this.getProperty("ro.product.board");
CheckResult board;
if(value==null) board=new CheckResult(0,null);
String value_low = value.toLowerCase();
int result=1;
if(value_low.contains("android")) ;
else if(value_low.contains("goldfish")) ;
else result=2;
board=new CheckResult(result,value);
if(board.result==1){
Toast.makeText(this, "Board not found.\r\n", Toast.LENGTH_SHORT).show();
}
}
private void checkFeaturesByPlatform(){
String value=this.getProperty("ro.board.platform");
CheckResult platform;
if(value==null) platform=new CheckResult(0,null);
int result=value.toLowerCase().contains("android")?1:2;
platform=new CheckResult(result,value);
if(platform.result==1) Toast.makeText(this, "Platform not found.\r\n", Toast.LENGTH_SHORT).show();
}
private void checkFeaturesByBaseBand(){
String value=this.getProperty("gsm.version.baseband");
CheckResult baseband;
if(value==null) baseband=new CheckResult(0,null);
int result=value.contains("1.0.0.0")? 1 : 2;
baseband=new CheckResult(result,value);
if(baseband.result==1) Toast.makeText(this, "Base band not found.\r\n", Toast.LENGTH_SHORT).show();
}
private void checkSensorNumber(Context activity_context){
SensorManager sensorManager=(SensorManager)activity_context.getSystemService(SENSOR_SERVICE);
List sensorList=sensorManager.getSensorList(-1);
int number=sensorList.size();
if(number<=7) Toast.makeText(this, "Sensor number<=7. Number is: "+number+"\r\n", Toast.LENGTH_SHORT).show();
}
private void checkCameraFlash(Context activity_context){
if(!activity_context.getPackageManager().hasSystemFeature("android.hardware.camera.flash"))
Toast.makeText(this, "Camera flash not supported.", Toast.LENGTH_SHORT).show();
}
private void checkCamera(Context activity_context){
if(!activity_context.getPackageManager().hasSystemFeature("android.hardware.camera"))
Toast.makeText(this, "Camera not supported.", Toast.LENGTH_SHORT).show();
}
private void checkBluetooth(Context activity_context){
if(!activity_context.getPackageManager().hasSystemFeature("android.hardware.bluetooth"))
Toast.makeText(this, "Bluetooth not supported.", Toast.LENGTH_SHORT).show();
}
private void checkLightSensor(Context activity_context){
SensorManager sensorManager = (SensorManager) activity_context.getSystemService(SENSOR_SERVICE);
if(sensorManager.getDefaultSensor(5) == null)
Toast.makeText(this, "Light sensor not supported.", Toast.LENGTH_SHORT).show();
}
private void checkFeaturesByCgroup(){
String value=do_exec("cat /proc/self/cgroup");
CheckResult Cgroup;
if(value==null) Cgroup=new CheckResult(0,null);
else Cgroup=new CheckResult(2,value);
if(Cgroup.result==0) Toast.makeText(this, "Cgourp is null.", Toast.LENGTH_SHORT).show();
}
private void checkAppNumber(){
String value=do_exec("pm list package -3");//third-part packages
if(value==null) Toast.makeText(this, "exec no return.", Toast.LENGTH_SHORT).show();
else{
int number=0;
number=value.split("package:").length;
Toast.makeText(this, "App number is: "+number, Toast.LENGTH_LONG).show();
}
}
public void findEmulator(String arg2) {
Log.d("TEST", arg2);
}
private String getProperty(String arg2) {
Object v0=null;
String value=null;
try {
Class<?> c = Class.forName("android.os.SystemProperties");
Method get = c.getMethod("get", String.class, String.class);
value = (String)(get.invoke(c, arg2, "unknown" ));
if(TextUtils.isEmpty(((CharSequence)value))) {
value = null;
}
} catch (Exception e) {
e.printStackTrace();
}finally {
return value;
}
}
private String do_exec(String cmd) {
String s = "/n";
try {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader in = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line = null;
while ((line = in.readLine()) != null) {
s += line + "/n";
}
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return s;
}
}
class CheckResult {
public static final int RESULT_EMULATOR = 1;
public static final int RESULT_MAYBE_EMULATOR = 0;
public static final int RESULT_UNKNOWN = 2;
public int result;
public String value;
public CheckResult(int arg1, String arg2) {
super();
this.result = arg1;
this.value = arg2;
}
}
interface EmulatorCheckCallback {
void findEmulator(String arg1);
}梆梆加固恶意样本
未完成