├── demo.jpg
├── README.md
├── antiroot.py
└── antiroot.js


/demo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AshenOneYe/FridaAntiRootDetection/HEAD/demo.jpg


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # FridaAntiRootDetection
 2 | A frida script for bypass common root detection,the collection of detection methods is still improving！
 3 | 
 4 | ![demo](demo.jpg)
 5 | 
 6 | ## Usage
 7 | 
 8 | ### Directly use js
 9 | ```
10 | frida -UF -l antiroot.js
11 | ```
12 | 
13 | OR
14 | 
15 | ### Enable child-gatting by python
16 | modify the `target` variable and run
17 | ```
18 | python antiroot.py 
19 | ```


--------------------------------------------------------------------------------
/antiroot.py:
--------------------------------------------------------------------------------
 1 | import frida
 2 | import os
 3 | 
 4 | device = frida.get_usb_device()
 5 | print(device)
 6 | 
 7 | target = "com.xxx.xxx"
 8 | 
 9 | with open(os.path.dirname(os.path.abspath(__file__)) + "/antiroot.js","r",encoding="utf8") as f:
10 |     jscode = f.read()
11 | 
12 | 
13 | def spawn_added(spawn):
14 |     print('spawn_added:', spawn)
15 |     if(spawn.identifier.startswith(target)):
16 |         session = device.attach(spawn.pid)
17 |         script = session.create_script(jscode)
18 |         script.on('message', on_message)
19 |         script.load()
20 |     device.resume(spawn.pid)
21 |         
22 | def on_message(message, data):
23 |     if message['type'] == 'send':
24 |         print("[*] {0}".format(message['payload']))
25 |     else:
26 |         print(message)
27 | 
28 | device.on('spawn-added', spawn_added)
29 | device.enable_spawn_gating()
30 | print('Enabled spawn gating')
31 | 
32 | input()


--------------------------------------------------------------------------------
/antiroot.js:
--------------------------------------------------------------------------------
  1 | const commonPaths = [
  2 |     "/data/local/bin/su",
  3 |     "/data/local/su",
  4 |     "/data/local/xbin/su",
  5 |     "/dev/com.koushikdutta.superuser.daemon/",
  6 |     "/sbin/su",
  7 |     "/system/app/Superuser.apk",
  8 |     "/system/bin/failsafe/su",
  9 |     "/system/bin/su",
 10 |     "/su/bin/su",
 11 |     "/system/etc/init.d/99SuperSUDaemon",
 12 |     "/system/sd/xbin/su",
 13 |     "/system/xbin/busybox",
 14 |     "/system/xbin/daemonsu",
 15 |     "/system/xbin/su",
 16 |     "/system/sbin/su",
 17 |     "/vendor/bin/su",
 18 |     "/cache/su",
 19 |     "/data/su",
 20 |     "/dev/su",
 21 |     "/system/bin/.ext/su",
 22 |     "/system/usr/we-need-root/su",
 23 |     "/system/app/Kinguser.apk",
 24 |     "/data/adb/magisk",
 25 |     "/sbin/.magisk",
 26 |     "/cache/.disable_magisk",
 27 |     "/dev/.magisk.unblock",
 28 |     "/cache/magisk.log",
 29 |     "/data/adb/magisk.img",
 30 |     "/data/adb/magisk.db",
 31 |     "/data/adb/magisk_simple",
 32 |     "/init.magisk.rc",
 33 |     "/system/xbin/ku.sud",
 34 |     "/data/adb/ksu",
 35 |     "/data/adb/ksud"
 36 | ];
 37 | 
 38 | const ROOTmanagementApp = [
 39 |     "com.noshufou.android.su",
 40 |     "com.noshufou.android.su.elite",
 41 |     "eu.chainfire.supersu",
 42 |     "com.koushikdutta.superuser",
 43 |     "com.thirdparty.superuser",
 44 |     "com.yellowes.su",
 45 |     "com.koushikdutta.rommanager",
 46 |     "com.koushikdutta.rommanager.license",
 47 |     "com.dimonvideo.luckypatcher",
 48 |     "com.chelpus.lackypatch",
 49 |     "com.ramdroid.appquarantine",
 50 |     "com.ramdroid.appquarantinepro",
 51 |     "com.topjohnwu.magisk",
 52 |     "me.weishu.kernelsu"
 53 | ];
 54 | 
 55 | 
 56 | 
 57 | function stackTraceHere(isLog){
 58 |     var Exception = Java.use('java.lang.Exception');
 59 |     var Log = Java.use('android.util.Log');
 60 |     var stackinfo = Log.getStackTraceString(Exception.$new())
 61 |     if(isLog){
 62 |         console.log(stackinfo)
 63 |     }else{
 64 |         return stackinfo
 65 |     }
 66 | }
 67 | 
 68 | function stackTraceNativeHere(isLog){
 69 |     var backtrace = Thread.backtrace(this.context, Backtracer.ACCURATE)
 70 |     .map(DebugSymbol.fromAddress)
 71 |     .join("\n\t");
 72 |     console.log(backtrace)
 73 | }
 74 | 
 75 | 
 76 | function bypassJavaFileCheck(){
 77 |     var UnixFileSystem = Java.use("java.io.UnixFileSystem")
 78 |     UnixFileSystem.checkAccess.implementation = function(file,access){
 79 | 
 80 |         var stack = stackTraceHere(false)
 81 | 
 82 |         const filename = file.getAbsolutePath();
 83 | 
 84 |         if (filename.indexOf("magisk") >= 0) {
 85 |             console.log("Anti Root Detect - check file: " + filename)
 86 |             return false;
 87 |         }
 88 | 
 89 |         if (commonPaths.indexOf(filename) >= 0) {
 90 |             console.log("Anti Root Detect - check file: " + filename)
 91 |             return false;
 92 |         }
 93 | 
 94 |         return this.checkAccess(file,access)
 95 |     }
 96 | }
 97 | 
 98 | function bypassNativeFileCheck(){
 99 |     var fopen = Module.findExportByName("libc.so","fopen")
100 |     Interceptor.attach(fopen,{
101 |         onEnter:function(args){
102 |             this.inputPath = args[0].readUtf8String()
103 |         },
104 |         onLeave:function(retval){
105 |             if(retval.toInt32() != 0){
106 |                 if (commonPaths.indexOf(this.inputPath) >= 0) {
107 |                     console.log("Anti Root Detect - fopen : " + this.inputPath)
108 |                     retval.replace(ptr(0x0))
109 |                 }
110 |             }
111 |         }
112 |     })
113 | 
114 |     var access = Module.findExportByName("libc.so","access")
115 |     Interceptor.attach(access,{
116 |         onEnter:function(args){
117 |             this.inputPath = args[0].readUtf8String()
118 |         },
119 |         onLeave:function(retval){
120 |             if(retval.toInt32()==0){
121 |                 if(commonPaths.indexOf(this.inputPath) >= 0){
122 |                     console.log("Anti Root Detect - access : " + this.inputPath)
123 |                     retval.replace(ptr(-1))
124 |                 }
125 |             }
126 |         }
127 |     })
128 | }
129 | 
130 | function setProp(){
131 |     var Build = Java.use("android.os.Build")
132 |     var TAGS = Build.class.getDeclaredField("TAGS")
133 |     TAGS.setAccessible(true)
134 |     TAGS.set(null,"release-keys")
135 | 
136 |     var FINGERPRINT = Build.class.getDeclaredField("FINGERPRINT")
137 |     FINGERPRINT.setAccessible(true)
138 |     FINGERPRINT.set(null,"google/crosshatch/crosshatch:10/QQ3A.200805.001/6578210:user/release-keys")
139 | 
140 |     // Build.deriveFingerprint.inplementation = function(){
141 |     //     var ret = this.deriveFingerprint() //该函数无法通过反射调用
142 |     //     console.log(ret)
143 |     //     return ret
144 |     // }
145 | 
146 |     var system_property_get = Module.findExportByName("libc.so", "__system_property_get")
147 |     Interceptor.attach(system_property_get,{
148 |         onEnter(args){
149 |             this.key = args[0].readCString()
150 |             this.ret = args[1]
151 |         },
152 |         onLeave(ret){
153 |             if(this.key == "ro.build.fingerprint"){
154 |                 var tmp = "google/crosshatch/crosshatch:10/QQ3A.200805.001/6578210:user/release-keys"
155 |                 var p = Memory.allocUtf8String(tmp)
156 |                 Memory.copy(this.ret,p,tmp.length+1)
157 |             }
158 |         }
159 |     })
160 | 
161 | }
162 | 
163 | //android.app.PackageManager
164 | function bypassRootAppCheck(){
165 |     var ApplicationPackageManager = Java.use("android.app.ApplicationPackageManager")
166 |     ApplicationPackageManager.getPackageInfo.overload('java.lang.String', 'int').implementation = function(str,i){
167 |         // console.log(str)
168 |         if (ROOTmanagementApp.indexOf(str) >= 0) {
169 |             console.log("Anti Root Detect - check package : " + str)
170 |             str = "ashen.one.ye.not.found"
171 |         }
172 |         return this.getPackageInfo(str,i)
173 |     }
174 | 
175 |     //shell pm check
176 | }
177 | 
178 | function bypassShellCheck(){
179 |     var String = Java.use('java.lang.String')
180 | 
181 |     var ProcessImpl = Java.use("java.lang.ProcessImpl")
182 |     ProcessImpl.start.implementation = function(cmdarray,env,dir,redirects,redirectErrorStream){
183 | 
184 |         if(cmdarray[0] == "mount"){
185 |             console.log("Anti Root Detect - Shell : " + cmdarray.toString())
186 |             arguments[0] = Java.array('java.lang.String',[String.$new("")])
187 |             return ProcessImpl.start.apply(this,arguments)
188 |         }
189 | 
190 |         if(cmdarray[0] == "getprop"){
191 |             console.log("Anti Root Detect - Shell : " + cmdarray.toString())
192 |             const prop = [
193 |                 "ro.secure",
194 |                 "ro.debuggable"
195 |             ];
196 |             if(prop.indexOf(cmdarray[1]) >= 0){
197 |                 arguments[0] = Java.array('java.lang.String',[String.$new("")])
198 |                 return ProcessImpl.start.apply(this,arguments)
199 |             }
200 |         }
201 | 
202 |         if(cmdarray[0].indexOf("which") >= 0){
203 |             const prop = [
204 |                 "su"
205 |             ];
206 |             if(prop.indexOf(cmdarray[1]) >= 0){
207 |                 console.log("Anti Root Detect - Shell : " + cmdarray.toString())
208 |                 arguments[0] = Java.array('java.lang.String',[String.$new("")])
209 |                 return ProcessImpl.start.apply(this,arguments)
210 |             }
211 |         }
212 | 
213 |         return ProcessImpl.start.apply(this,arguments)
214 |     }
215 | }
216 | 
217 | 
218 | console.log("Attach")
219 | bypassNativeFileCheck()
220 | bypassJavaFileCheck()
221 | setProp()
222 | bypassRootAppCheck()
223 | bypassShellCheck()
224 | 


--------------------------------------------------------------------------------