25-7-28-2

android/app/src/main/cpp/native-lib.cpp

@@ -0,0 +1,187 @@
+
+#include <jni.h>
+#include <string>
+#include <fstream>
+#include <unistd.h>
+#include <dirent.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <android/log.h>
+#include <pthread.h>
+#include <dlfcn.h>
+#include <link.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/ptrace.h> // Add this line
+
+#define LOG_TAG "NativeLib"
+#define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
+#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)
+
+// Function to check for common root binaries
+bool isRooted()
+{
+    std::string paths[] = {
+        "/system/app/Superuser.apk",
+        "/system/xbin/su",
+        "/system/bin/su",
+        "/system/bin/magisk",
+        "/system/xbin/magisk",
+        "/sbin/magisk"};
+
+    for (const auto &path : paths)
+    {
+        std::ifstream file(path);
+        if (file.good())
+        {
+            return true;
+        }
+    }
+    return false;
+}
+
+// Function to check for the presence of files or directories commonly associated with Frida.
+bool checkFridaFiles()
+{
+    std::string fridaFiles[] = {
+        "/data/local/tmp/re.frida.server", // Common Frida server path
+        "/data/local/tmp/frida-server",
+        "/usr/lib/libfrida-gadget.so", // Frida gadget (injected library)
+        "/usr/lib64/libfrida-gadget.so",
+        "/data/local/re.frida.server",
+
+    };
+
+    for (const auto &path : fridaFiles)
+    {
+        if (access(path.c_str(), F_OK) != -1)
+        {
+            LOGE("Frida file detected: %s", path.c_str());
+            return true;
+        }
+    }
+    return false;
+}
+
+// Checks for open ports commonly used by Frida.  This is less reliable, as ports can be changed.
+bool checkFridaPorts()
+{
+    int sock = socket(AF_INET, SOCK_STREAM, 0);
+    if (sock == -1)
+    {
+        return false; // Couldn't create socket, not a strong indicator.
+    }
+
+    sockaddr_in sa;
+    memset(&sa, 0, sizeof(sa));
+    sa.sin_family = AF_INET;
+    sa.sin_port = htons(27042); // Default Frida port
+    inet_pton(AF_INET, "127.0.0.1", &sa.sin_addr);
+
+    if (connect(sock, (struct sockaddr *)&sa, sizeof(sa)) != -1)
+    {
+        LOGE("Frida default port (27042) is open.");
+        close(sock);
+        return true;
+    }
+
+    close(sock);
+    return false;
+}
+
+// Check the maps file of the current process for any suspicious entries.
+bool checkMaps()
+{
+    std::ifstream mapsFile("/proc/self/maps");
+    std::string line;
+
+    if (mapsFile.is_open())
+    {
+        while (std::getline(mapsFile, line))
+        {
+            // Look for lines that indicate injected libraries, especially Frida.
+            if (line.find("frida") != std::string::npos ||
+                line.find("gum-js-") != std::string::npos)
+            { // Gum is Frida's JavaScript engine
+                LOGE("Suspicious entry in /proc/self/maps: %s", line.c_str());
+                return true;
+            }
+        }
+        mapsFile.close();
+    }
+    else
+    {
+        LOGE("Could not open /proc/self/maps");
+        return false;
+    }
+    return false;
+}
+
+// Check loaded modules.
+bool checkLoadedModules()
+{
+    bool found = false;
+    dl_iterate_phdr([](struct dl_phdr_info *info, size_t size, void *data)
+                    {
+                        bool *found_ptr = static_cast<bool *>(data);
+                        if (std::string(info->dlpi_name).find("frida") != std::string::npos)
+                        {
+                            LOGE("Frida module detected: %s", info->dlpi_name);
+                            *found_ptr = true;
+                            return 1; // Stop iterating
+                        }
+                        return 0; // Continue iterating
+                    },
+                    &found);
+
+    return found;
+}
+
+// This is a simple ptrace check.  More sophisticated checks are possible (and necessary for robust detection).
+// bool checkPtrace() {
+//    // Attempt to ptrace ourselves.  If another process is already tracing us, this will fail.
+//    if (ptrace(PTRACE_TRACEME, 0, 1, 0) < 0) {
+//        LOGE("ptrace failed.  Debugger or tracer detected.");
+//        return true; // Likely being traced
+//    }
+//    // Detach. If attached, need to detach to not interfere.
+//    ptrace(PTRACE_DETACH, 0, 0, 0);
+//    return false;
+//}
+
+extern "C" JNIEXPORT jboolean JNICALL
+Java_com_intaleq_1driver_RootDetection_isNativeRooted(JNIEnv *env, jobject /* this */)
+{
+
+    if (isRooted())
+    {
+        return JNI_TRUE;
+    }
+
+    if (checkFridaFiles())
+    {
+        return JNI_TRUE;
+    }
+
+    if (checkFridaPorts())
+    {
+        return JNI_TRUE;
+    }
+    if (checkMaps())
+    {
+        return JNI_TRUE;
+    }
+
+    if (checkLoadedModules())
+    {
+        return JNI_TRUE;
+    }
+
+    //    if (checkPtrace()) {
+    //        return JNI_TRUE;
+    //    }
+
+    return JNI_FALSE;
+}