對抖音進行反編譯發現，其檢測注入框架1.是通過程序抓取程序中包含的包。2.是檢測堆疊中是否包含注入框架的包

所用 抖音版本 1.85

反編譯找到檢測類

搜尋“xposed”關鍵字找到類com.ss.sys.ces.b.a
其包含四個字串常量

  private static String b = "XposedBridge.jar";
  private static String c = "de.robv.android.xposed.XposedBridge";
  private static String d = "com.saurik.substrate";
  private
 
 static String e = "com.saurik.substrate.MS$2";

傳值分析

  if (a())
          {
            ((JSONObject)localObject).put("xposed", 1);
            if (b())
            {
              ((JSONObject)localObject).put("cydia", 1);
              if (!com.ss.sys.ces.a.f()) {
                break label174;
 

              }
              ((JSONObject)localObject).put("frida", 1);
              ((JSONObject)localObject).put("vapp", com.ss.sys.ces.a.v(paramContext.getFilesDir().getAbsolutePath(), paramContext.getPackageName()));
              paramContext = System.getProperty("java.vm.version");
              if ((paramContext == null) || (!paramContext.startsWith
 
("2"))) {
                break label624;
              }
              i = 1;
              if (i == 0) {
                break label185;
              }
              ((JSONObject)localObject).put("api", new JSONArray(b.a().b()));
              return (JSONObject)localObject;
              localThrowable = localThrowable;
              localThrowable.printStackTrace();
              localJSONObject1 = null;
            }
          }
          else
          {
            localJSONObject1.put("xposed", 0);
            continue;
          }
          localJSONObject1.put("cydia", 0);
        }

其是通過a()函式判斷是否有注入框架

//由a函式的內容分析出 需同時 a(String param)返回true 和 d()函式返回true，才會被發現
  public static boolean a()
  {
    return (a(b)) && (d());
  }

函式a(String param)
其通過FileReader("/proc/" + Process.myPid() + "/maps") 獲得所需包資料
通過迴圈與 看是否包含”XposedBridge.jar”，若有說明包含注入框架

  private static boolean a(String paramString)
  {
    try
    {
      Object localObject = new HashSet();
      BufferedReader localBufferedReader = new BufferedReader(new FileReader("/proc/" + Process.myPid() + "/maps"));
      for (;;)
      {
        String str = localBufferedReader.readLine();
        if (str == null) {
          break;
        }
        if ((str.endsWith(".so")) || (str.endsWith(".jar"))) {
          ((Set)localObject).add(str.substring(str.lastIndexOf(" ") + 1));
        }
      }
      localBufferedReader.close();
      localObject = ((Set)localObject).iterator();
      while (((Iterator)localObject).hasNext())
      {
        boolean bool = ((String)((Iterator)localObject).next()).contains(paramString);
        if (bool) {
          return true;
        }
      }
    }
    catch (Throwable paramString) {}
    return false;
  }

d函式通過丟擲異常，來檢測異常棧,若異常棧中有”de.robv.android.xposed.XposedBridge”字串說明注入框架使用過，從而跑出了該異常。

private static boolean d()
  {
    boolean bool2 = false;
    StackTraceElement[] arrayOfStackTraceElement;
    int j;
    int i;
    try
    {
      throw new Exception("");
    }
    catch (Exception localException)
    {
      arrayOfStackTraceElement = localException.getStackTrace();
      j = arrayOfStackTraceElement.length;
      i = 0;
    }
    for (;;)
    {
      boolean bool1 = bool2;
      if (i < j)
      {
        if (arrayOfStackTraceElement[i].getClassName().equals(c)) {
          bool1 = true;
        }
      }
      else {
        return bool1;
      }
      i += 1;
    }
  }

總結

  public static boolean a()
  {
    return (a(b)) && (d());
  }

因此a()函式是先判斷是否有注入框架xposed，再判斷是否使用了該框架。