From 4b7beb60b9d10357154da316f6293804df4a1486 Mon Sep 17 00:00:00 2001 From: ZnDong <81907400+ZnDong@users.noreply.github.com> Date: Thu, 19 Feb 2026 12:54:49 +0800 Subject: [PATCH] fix(ui): correct inverted boolean logic in setLayerResult calls Fix detection layer display showing inverted results across multiple detectors. The boolean parameter in setLayerResult(layer, detected) should be true when a risk is detected, and false when safe. - ReadlinkDetector: invert all setLayerResult boolean values - ZygoteDetector: invert all setLayerResult boolean values - SideChannelDetector: fix SYSCALL layer from !isHooked to isHooked in timing-based detection methods - DebugDetector: fix detectPtrace (TracerPid==0 was true, now TracerPid!=0 is true) and detectPtraceSelfProtection (safe condition was true, now risk condition is true) --- .../xff/launch/detector/DebugDetector.java | 16 ++-- .../xff/launch/detector/ReadlinkDetector.java | 60 ++++++------- .../launch/detector/SideChannelDetector.java | 6 +- .../xff/launch/detector/ZygoteDetector.java | 90 +++++++++---------- 4 files changed, 86 insertions(+), 86 deletions(-) diff --git a/app/src/main/java/com/xff/launch/detector/DebugDetector.java b/app/src/main/java/com/xff/launch/detector/DebugDetector.java index 0d11dd8..5314783 100644 --- a/app/src/main/java/com/xff/launch/detector/DebugDetector.java +++ b/app/src/main/java/com/xff/launch/detector/DebugDetector.java @@ -131,10 +131,10 @@ public DetectionItem detectPtrace() { // Native layer - read TracerPid via native int nativeTracerPid = nativeDetector.getTracerPid(); - // Set layer results (INVERTED: true = safe, false = detected) - item.setLayerResult(DetectionLayer.JAVA, javaTracerPid == 0); - item.setLayerResult(DetectionLayer.NATIVE, nativeTracerPid == 0); - item.setLayerResult(DetectionLayer.SYSCALL, syscallTracerPid == 0); + // Set layer results: true = detected (TracerPid > 0), false = safe + item.setLayerResult(DetectionLayer.JAVA, javaTracerPid != 0); + item.setLayerResult(DetectionLayer.NATIVE, nativeTracerPid != 0); + item.setLayerResult(DetectionLayer.SYSCALL, syscallTracerPid != 0); // Check all threads String allThreadsStatus = checkAllThreadsTracerPid(); @@ -232,10 +232,10 @@ public DetectionItem detectPtraceSelfProtection() { detail = "TracerPid:0 (正常 - 无反调试保护)"; } - // Set layer results (true = safe/normal, false = risk) - item.setLayerResult(DetectionLayer.JAVA, tracerPid == 0 || isProtected); - item.setLayerResult(DetectionLayer.NATIVE, tracerPid == 0 || isProtected); - item.setLayerResult(DetectionLayer.SYSCALL, tracerPid == 0 || isProtected); + // Set layer results: true = detected risk (external debugger), false = safe/normal + item.setLayerResult(DetectionLayer.JAVA, tracerPid != 0 && !isProtected); + item.setLayerResult(DetectionLayer.NATIVE, tracerPid != 0 && !isProtected); + item.setLayerResult(DetectionLayer.SYSCALL, tracerPid != 0 && !isProtected); item.setStatus(status); item.setDetail(detail); diff --git a/app/src/main/java/com/xff/launch/detector/ReadlinkDetector.java b/app/src/main/java/com/xff/launch/detector/ReadlinkDetector.java index 256b064..5cc2752 100644 --- a/app/src/main/java/com/xff/launch/detector/ReadlinkDetector.java +++ b/app/src/main/java/com/xff/launch/detector/ReadlinkDetector.java @@ -133,9 +133,9 @@ private DetectionItem checkProcSelfExe() { // Check consistency between layers boolean consistent = nativeExePath.equals(syscallExePath); - item.setLayerResult(DetectionLayer.JAVA, !javaRisk && javaOk); - item.setLayerResult(DetectionLayer.NATIVE, !nativeRisk && nativeOk); - item.setLayerResult(DetectionLayer.SYSCALL, !syscallRisk && syscallOk); + item.setLayerResult(DetectionLayer.JAVA, javaRisk || !javaOk); + item.setLayerResult(DetectionLayer.NATIVE, nativeRisk || !nativeOk); + item.setLayerResult(DetectionLayer.SYSCALL, syscallRisk || !syscallOk); if (javaRisk || nativeRisk || syscallRisk) { item.setStatus(DetectionStatus.RISK); @@ -174,9 +174,9 @@ private DetectionItem checkProcSelfMaps() { // Check for hidden mappings (indication of hook framework) boolean hasHiddenMaps = nativeDetector.checkHiddenMapsSyscall(); - item.setLayerResult(DetectionLayer.JAVA, hasContent); - item.setLayerResult(DetectionLayer.NATIVE, !hasSuspicious); - item.setLayerResult(DetectionLayer.SYSCALL, !hasHiddenMaps); + item.setLayerResult(DetectionLayer.JAVA, !hasContent); + item.setLayerResult(DetectionLayer.NATIVE, hasSuspicious); + item.setLayerResult(DetectionLayer.SYSCALL, hasHiddenMaps); if (hasHiddenMaps) { item.setStatus(DetectionStatus.RISK); @@ -216,9 +216,9 @@ private DetectionItem checkProcSelfMounts() { boolean hasBindMount = mountContent.contains("magisk") || mountContent.contains("ksu") || mountContent.contains("apatch"); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, !hasOverlay); - item.setLayerResult(DetectionLayer.SYSCALL, !hasBindMount); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, hasOverlay); + item.setLayerResult(DetectionLayer.SYSCALL, hasBindMount); if (hasBindMount) { item.setStatus(DetectionStatus.RISK); @@ -253,9 +253,9 @@ private DetectionItem checkProcSelfRoot() { boolean syscallOk = "/".equals(syscallRoot); boolean consistent = nativeRoot.equals(syscallRoot); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeOk); - item.setLayerResult(DetectionLayer.SYSCALL, syscallOk); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, !nativeOk); + item.setLayerResult(DetectionLayer.SYSCALL, !syscallOk); if (!syscallOk) { item.setStatus(DetectionStatus.RISK); @@ -289,9 +289,9 @@ private DetectionItem checkProcSelfCwd() { boolean hasSuspicious = containsSuspicious(syscallCwd); boolean consistent = nativeCwd.equals(syscallCwd); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, !containsSuspicious(nativeCwd)); - item.setLayerResult(DetectionLayer.SYSCALL, !hasSuspicious); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, containsSuspicious(nativeCwd)); + item.setLayerResult(DetectionLayer.SYSCALL, hasSuspicious); if (hasSuspicious) { item.setStatus(DetectionStatus.RISK); @@ -325,9 +325,9 @@ private DetectionItem checkProcSelfFd() { // Also check via native int nativeFdCount = nativeDetector.checkSuspiciousFdsNative(); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeFdCount == 0); - item.setLayerResult(DetectionLayer.SYSCALL, suspiciousFdCount == 0); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, nativeFdCount != 0); + item.setLayerResult(DetectionLayer.SYSCALL, suspiciousFdCount != 0); if (suspiciousFdCount > 0) { item.setStatus(DetectionStatus.RISK); @@ -381,9 +381,9 @@ private DetectionItem checkSuSymlinks() { } } - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeFound == 0); - item.setLayerResult(DetectionLayer.SYSCALL, syscallFound == 0); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, nativeFound > 0); + item.setLayerResult(DetectionLayer.SYSCALL, syscallFound > 0); if (syscallFound > 0) { item.setStatus(DetectionStatus.RISK); @@ -453,9 +453,9 @@ private DetectionItem checkSystemBinaries() { } } - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeSuspicious == 0); - item.setLayerResult(DetectionLayer.SYSCALL, syscallSuspicious == 0); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, nativeSuspicious > 0); + item.setLayerResult(DetectionLayer.SYSCALL, syscallSuspicious > 0); if (syscallSuspicious > 0) { item.setStatus(DetectionStatus.RISK); @@ -524,9 +524,9 @@ private DetectionItem checkAppPath() { boolean consistent = nativeReal.equals(syscallReal); boolean hasSuspicious = containsSuspicious(nativeReal) || containsSuspicious(syscallReal); - item.setLayerResult(DetectionLayer.JAVA, !hasSuspicious); - item.setLayerResult(DetectionLayer.NATIVE, !nativeIsLink || !hasSuspicious); - item.setLayerResult(DetectionLayer.SYSCALL, !syscallIsLink || !hasSuspicious); + item.setLayerResult(DetectionLayer.JAVA, hasSuspicious); + item.setLayerResult(DetectionLayer.NATIVE, nativeIsLink && hasSuspicious); + item.setLayerResult(DetectionLayer.SYSCALL, syscallIsLink && hasSuspicious); if (hasSuspicious) { item.setStatus(DetectionStatus.RISK); @@ -565,9 +565,9 @@ private DetectionItem checkMountNamespace() { boolean nativeCheck = nativeDetector.checkMountNamespaceNative(); boolean syscallCheck = nativeDetector.checkMountNamespaceSyscall(); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeCheck); - item.setLayerResult(DetectionLayer.SYSCALL, syscallCheck); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, !nativeCheck); + item.setLayerResult(DetectionLayer.SYSCALL, !syscallCheck); if (!syscallCheck) { item.setStatus(DetectionStatus.RISK); diff --git a/app/src/main/java/com/xff/launch/detector/SideChannelDetector.java b/app/src/main/java/com/xff/launch/detector/SideChannelDetector.java index 03d091a..f6d73e8 100644 --- a/app/src/main/java/com/xff/launch/detector/SideChannelDetector.java +++ b/app/src/main/java/com/xff/launch/detector/SideChannelDetector.java @@ -121,7 +121,7 @@ private DetectionItem checkSyscallTimingOpenat() { // Set layer results item.setLayerResult(DetectionLayer.JAVA, false); // Java layer N/A item.setLayerResult(DetectionLayer.NATIVE, isHooked); - item.setLayerResult(DetectionLayer.SYSCALL, !isHooked); + item.setLayerResult(DetectionLayer.SYSCALL, isHooked); if (isHooked) { item.setStatus(DetectionStatus.RISK); @@ -157,7 +157,7 @@ private DetectionItem checkSyscallTimingAccess() { item.setLayerResult(DetectionLayer.JAVA, false); item.setLayerResult(DetectionLayer.NATIVE, isHooked); - item.setLayerResult(DetectionLayer.SYSCALL, !isHooked); + item.setLayerResult(DetectionLayer.SYSCALL, isHooked); if (isHooked) { item.setStatus(DetectionStatus.RISK); @@ -193,7 +193,7 @@ private DetectionItem checkSyscallTimingStat() { item.setLayerResult(DetectionLayer.JAVA, false); item.setLayerResult(DetectionLayer.NATIVE, isHooked); - item.setLayerResult(DetectionLayer.SYSCALL, !isHooked); + item.setLayerResult(DetectionLayer.SYSCALL, isHooked); if (isHooked) { item.setStatus(DetectionStatus.RISK); diff --git a/app/src/main/java/com/xff/launch/detector/ZygoteDetector.java b/app/src/main/java/com/xff/launch/detector/ZygoteDetector.java index 282b0ba..ab88d8e 100644 --- a/app/src/main/java/com/xff/launch/detector/ZygoteDetector.java +++ b/app/src/main/java/com/xff/launch/detector/ZygoteDetector.java @@ -156,9 +156,9 @@ private DetectionItem checkZygiskInjection() { boolean javaDetected = mapsDetected || propDetected; - item.setLayerResult(DetectionLayer.JAVA, !javaDetected); - item.setLayerResult(DetectionLayer.NATIVE, !nativeDetected); - item.setLayerResult(DetectionLayer.SYSCALL, !syscallDetected); + item.setLayerResult(DetectionLayer.JAVA, javaDetected); + item.setLayerResult(DetectionLayer.NATIVE, nativeDetected); + item.setLayerResult(DetectionLayer.SYSCALL, syscallDetected); if (syscallDetected || nativeDetected) { item.setStatus(DetectionStatus.RISK); @@ -237,9 +237,9 @@ private DetectionItem checkZygiskSUDaemon() { // Also check via native detector boolean nativeDetected = nativeDetector.checkZygiskSyscall(); - item.setLayerResult(DetectionLayer.JAVA, !detected); - item.setLayerResult(DetectionLayer.NATIVE, !nativeDetected); - item.setLayerResult(DetectionLayer.SYSCALL, !nativeDetected); + item.setLayerResult(DetectionLayer.JAVA, detected); + item.setLayerResult(DetectionLayer.NATIVE, nativeDetected); + item.setLayerResult(DetectionLayer.SYSCALL, nativeDetected); if (detected) { item.setStatus(DetectionStatus.RISK); @@ -282,9 +282,9 @@ private DetectionItem checkRiruInjection() { } } - item.setLayerResult(DetectionLayer.JAVA, !pathExists); - item.setLayerResult(DetectionLayer.NATIVE, !nativeDetected); - item.setLayerResult(DetectionLayer.SYSCALL, !syscallDetected); + item.setLayerResult(DetectionLayer.JAVA, pathExists); + item.setLayerResult(DetectionLayer.NATIVE, nativeDetected); + item.setLayerResult(DetectionLayer.SYSCALL, syscallDetected); if (syscallDetected || nativeDetected) { item.setStatus(DetectionStatus.RISK); @@ -341,9 +341,9 @@ private DetectionItem checkNativeBridge() { boolean nativeOk = nativeValue.isEmpty() || nativeValue.equals("0"); boolean syscallOk = syscallValue.isEmpty() || syscallValue.equals("0"); - item.setLayerResult(DetectionLayer.JAVA, javaOk && !isSuspicious); - item.setLayerResult(DetectionLayer.NATIVE, nativeOk && !isSuspicious); - item.setLayerResult(DetectionLayer.SYSCALL, syscallOk && !isSuspicious); + item.setLayerResult(DetectionLayer.JAVA, !javaOk || isSuspicious); + item.setLayerResult(DetectionLayer.NATIVE, !nativeOk || isSuspicious); + item.setLayerResult(DetectionLayer.SYSCALL, !syscallOk || isSuspicious); if (isSuspicious) { item.setStatus(DetectionStatus.RISK); @@ -391,9 +391,9 @@ private DetectionItem checkSELinuxContext() { boolean hasMagiskContext = currentContext.contains("magisk") || prevContext.contains("magisk"); - item.setLayerResult(DetectionLayer.JAVA, !hasMagiskContext); - item.setLayerResult(DetectionLayer.NATIVE, !hasZygoteAnomaly); - item.setLayerResult(DetectionLayer.SYSCALL, !hasMagiskContext && !hasZygoteAnomaly); + item.setLayerResult(DetectionLayer.JAVA, hasMagiskContext); + item.setLayerResult(DetectionLayer.NATIVE, hasZygoteAnomaly); + item.setLayerResult(DetectionLayer.SYSCALL, hasMagiskContext || hasZygoteAnomaly); if (hasMagiskContext) { item.setStatus(DetectionStatus.RISK); @@ -443,9 +443,9 @@ private DetectionItem checkMemoryMaps() { // Syscall check int syscallCount = nativeDetector.checkSuspiciousMapsSyscall(); - item.setLayerResult(DetectionLayer.JAVA, suspiciousCount == 0); - item.setLayerResult(DetectionLayer.NATIVE, nativeCount == 0); - item.setLayerResult(DetectionLayer.SYSCALL, syscallCount == 0); + item.setLayerResult(DetectionLayer.JAVA, suspiciousCount > 0); + item.setLayerResult(DetectionLayer.NATIVE, nativeCount > 0); + item.setLayerResult(DetectionLayer.SYSCALL, syscallCount > 0); if (syscallCount > 0 || suspiciousCount > 0) { item.setStatus(DetectionStatus.RISK); @@ -540,9 +540,9 @@ else if (!nativeDetector.checkFileIntegritySyscall(path)) { // Syscall check boolean syscallOk = nativeDetector.checkAppProcessSyscall(); - item.setLayerResult(DetectionLayer.JAVA, !hasAnomaly); - item.setLayerResult(DetectionLayer.NATIVE, nativeOk); - item.setLayerResult(DetectionLayer.SYSCALL, syscallOk); + item.setLayerResult(DetectionLayer.JAVA, hasAnomaly); + item.setLayerResult(DetectionLayer.NATIVE, !nativeOk); + item.setLayerResult(DetectionLayer.SYSCALL, !syscallOk); if (!syscallOk || hasAnomaly) { item.setStatus(DetectionStatus.RISK); @@ -606,9 +606,9 @@ private DetectionItem checkZygoteModules() { } } - item.setLayerResult(DetectionLayer.JAVA, foundCount == 0); - item.setLayerResult(DetectionLayer.NATIVE, foundCount == 0); - item.setLayerResult(DetectionLayer.SYSCALL, foundCount == 0); + item.setLayerResult(DetectionLayer.JAVA, foundCount > 0); + item.setLayerResult(DetectionLayer.NATIVE, foundCount > 0); + item.setLayerResult(DetectionLayer.SYSCALL, foundCount > 0); if (foundCount > 0) { item.setStatus(DetectionStatus.RISK); @@ -661,9 +661,9 @@ private DetectionItem checkMemoryIntegrity() { // Check for inline hooks boolean hasInlineHooks = nativeDetector.checkInlineHooksSyscall(); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeIntact); - item.setLayerResult(DetectionLayer.SYSCALL, syscallIntact && !hasInlineHooks); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, !nativeIntact); + item.setLayerResult(DetectionLayer.SYSCALL, !syscallIntact || hasInlineHooks); if (hasInlineHooks) { item.setStatus(DetectionStatus.RISK); @@ -700,9 +700,9 @@ private DetectionItem checkAnonymousMemory() { String smaps = nativeDetector.readFileSyscall("/proc/self/smaps"); boolean hasPrivateDirty = checkPrivateDirtyPages(smaps); - item.setLayerResult(DetectionLayer.JAVA, !hasPrivateDirty); - item.setLayerResult(DetectionLayer.NATIVE, !hasSuspiciousAnon); - item.setLayerResult(DetectionLayer.SYSCALL, !hasSuspiciousAnon); + item.setLayerResult(DetectionLayer.JAVA, hasPrivateDirty); + item.setLayerResult(DetectionLayer.NATIVE, hasSuspiciousAnon); + item.setLayerResult(DetectionLayer.SYSCALL, hasSuspiciousAnon); if (hasSuspiciousAnon) { item.setStatus(DetectionStatus.RISK); @@ -737,9 +737,9 @@ private DetectionItem checkLibraryHooks() { // Native layer check boolean nativeOk = nativeDetector.checkLibraryHooksNative(); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, nativeOk); - item.setLayerResult(DetectionLayer.SYSCALL, !libcHooked && !artHooked); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, !nativeOk); + item.setLayerResult(DetectionLayer.SYSCALL, libcHooked || artHooked); if (libcHooked || artHooked) { item.setStatus(DetectionStatus.RISK); @@ -831,9 +831,9 @@ private DetectionItem checkZygoteParentProcess() { if (zygoteInfo.equals("not_found")) { item.setStatus(DetectionStatus.UNKNOWN); item.setDetail("未找到Zygote进程"); - item.setLayerResult(DetectionLayer.JAVA, true); - item.setLayerResult(DetectionLayer.NATIVE, true); - item.setLayerResult(DetectionLayer.SYSCALL, true); + item.setLayerResult(DetectionLayer.JAVA, false); + item.setLayerResult(DetectionLayer.NATIVE, false); + item.setLayerResult(DetectionLayer.SYSCALL, false); return item; } @@ -851,9 +851,9 @@ private DetectionItem checkZygoteParentProcess() { // Check via native boolean hasAbnormalParent = nativeDetector.checkZygoteParentNative(); - item.setLayerResult(DetectionLayer.JAVA, parentPid == 1); - item.setLayerResult(DetectionLayer.NATIVE, !hasAbnormalParent); - item.setLayerResult(DetectionLayer.SYSCALL, parentPid == 1); + item.setLayerResult(DetectionLayer.JAVA, parentPid != 1); + item.setLayerResult(DetectionLayer.NATIVE, hasAbnormalParent); + item.setLayerResult(DetectionLayer.SYSCALL, parentPid != 1); // Normal: parent should be init (PID 1) if (parentPid != 1 || hasAbnormalParent) { @@ -892,9 +892,9 @@ private DetectionItem checkAnonymousRwxMemory() { // Get details String details = nativeDetector.getAnonymousRwxDetails(); - item.setLayerResult(DetectionLayer.JAVA, count == 0); - item.setLayerResult(DetectionLayer.NATIVE, count < 5); // Some JIT is normal - item.setLayerResult(DetectionLayer.SYSCALL, count < 10); + item.setLayerResult(DetectionLayer.JAVA, count > 0); + item.setLayerResult(DetectionLayer.NATIVE, count >= 5); // Some JIT is normal + item.setLayerResult(DetectionLayer.SYSCALL, count >= 10); if (count > 100) { // Very high count -> likely hook/injection @@ -956,9 +956,9 @@ private DetectionItem checkInMemoryDexLoader() { depth++; } - item.setLayerResult(DetectionLayer.JAVA, inMemoryDexCount == 0); - item.setLayerResult(DetectionLayer.NATIVE, inMemoryDexCount == 0); - item.setLayerResult(DetectionLayer.SYSCALL, inMemoryDexCount == 0); + item.setLayerResult(DetectionLayer.JAVA, inMemoryDexCount > 0); + item.setLayerResult(DetectionLayer.NATIVE, inMemoryDexCount > 0); + item.setLayerResult(DetectionLayer.SYSCALL, inMemoryDexCount > 0); if (inMemoryDexCount > 0) { item.setStatus(DetectionStatus.RISK);