feat: Bundle of the previous 9 improvements and fixes#10
Open
ZnDong wants to merge 9 commits into1193776794:mainfrom
Open
feat: Bundle of the previous 9 improvements and fixes#10ZnDong wants to merge 9 commits into1193776794:mainfrom
ZnDong wants to merge 9 commits into1193776794:mainfrom
Conversation
ZnDong
commented
Feb 19, 2026
ZnDong
commented
- feat(root): add KernelSU timing side-channel detection
- feat(emulator): expand emulator detection file paths coverage
- feat(native): add suspicious tool path detection
- feat(hook): add missing anti-debug and anti-Frida detection methods
- feat(native): add anti-timing attack and DumpArtMethod hook detection
- feat(root): add same-UID process scanning detection
- feat(root): add /proc/mounts Magisk signature and zygote context detection
- fix(native): fix false positives in contains_suspicious due to short keyword substring matching
- fix(ui): correct inverted boolean logic in setLayerResult calls
Fix detection layer display showing inverted results across multiple detectors. The boolean parameter in setLayerResult(layer, detected) should be true when a risk is detected, and false when safe. - ReadlinkDetector: invert all setLayerResult boolean values - ZygoteDetector: invert all setLayerResult boolean values - SideChannelDetector: fix SYSCALL layer from !isHooked to isHooked in timing-based detection methods - DebugDetector: fix detectPtrace (TracerPid==0 was true, now TracerPid!=0 is true) and detectPtraceSelfProtection (safe condition was true, now risk condition is true)
…keyword substring matching Short keywords like "su", "hide", "ksu" in SUSPICIOUS_KEYWORDS caused false positives when matched as substrings of normal paths. For example, the BLAST architecture (introduced in Android 11) produces fd paths like "/dmabuf:VRI[MainActivity]1193776794#1(BLAST Consumer)" where "Consumer" contains "su", triggering a false detection. Similar false positives occur with /dev/ashmem, result, resume, override, etc. Solution: - Split keywords into two categories: long/unique keywords (simple substring match) and short/ambiguous keywords (word boundary match) - Add find_with_boundary() that requires non-alphanumeric chars or string boundaries around the keyword - Move "su", "hide", "ksu" to BOUNDARY_KEYWORDS with boundary-aware matching - Apply the same fix to checkMountNamespaceNative/Syscall
…ction
- Add legacy Magisk paths (/sbin/.magisk/mirror, /sbin/.magisk/block, /sbin/.core/*) to getMagiskPaths()
- Add /sbin/.magisk/ and /sbin/.core/ to suspicious mount patterns
- Add checkMountsForMagisk{Native,Syscall} for /proc/self/mounts scanning
- Add checkZygoteContext{Native,Syscall} for /proc/self/attr/prev verification
- Register both new detection items in RootDetector.getAllDetections()
Implement process-level scanning for Same UID detection (Category 8): - Add native libc and syscall-based /proc enumeration to find processes sharing the same UID - Check /data/data/<process_name> directory existence for each same-UID process - Add JSON-based detail reporting for detected same-UID processes - Register new detection item in RootDetector.getAllDetections() Files modified: - native-lib.cpp: scan_same_uid_processes_impl(), get_same_uid_process_details(), JNI exports - NativeDetector.java: scanSameUidProcessesNative/Syscall(), getSameUidProcessDetails() - RootDetector.java: detectSameUidProcesses(), collectSameUidProcessDetails()
- Add DebugDetector::checkInitTimingAttack() to detect debugger breakpoints by measuring initialization elapsed time (>= 2s threshold) - Add HookDetector::checkDumpArtMethodHookNative/Syscall() to scan /proc/self/maps for dumpArtMethod symbol and related ART dumping tools (FDex2, DexDump, DexHunter, etc.) - Add JNI bindings: captureInitStartTime(), checkInitTimingAttack(), checkDumpArtMethodHookNative(), checkDumpArtMethodHookSyscall() - Add Java native declarations in NativeDetector.java - Sanitize all comments to remove reverse-engineering source references
- Add /proc/net/tcp hex port scanning for IDA (0x5D8A=23946) and Frida (0x69A2=27042) - Add linjector thread name detection in checkFridaThreads() via both comm and syscall status - Add frida-agent-32/frida-agent-64 signatures to memory maps scanning - Add /proc/self/fd linjector pipe scanning via syscall(readlinkat) - Add linjector to suspicious FD keywords in native-lib.cpp - Integrate new detections into detectFrida() combined result and JNI layer - Add checkIdaPortTcp/checkFridaPortTcp/checkFridaFdLinjector native methods - Update Java-side collectFridaDetails() with TCP port and FD linjector details
Add multi-layer detection for 13 suspicious tool paths including IDA/GDB debuggers, Frida gadget, injection tools, and unpackers (FART/BlackDex/DEX Dump). - Add checkSuspiciousToolPathsNative/Syscall in DebugDetector (C++) - Add JNI bridge functions in native-lib.cpp - Add native method declarations in NativeDetector.java - Add detectSuspiciousToolPaths() with Java/Native/Syscall layers in DebugDetector.java - Add detail collector with per-path breakdown and detection layer info - Add string resource entry in strings.xml
Add 21 new emulator-specific file paths across both Native and Java layers: - QEMU: /sys/devices/virtual/misc/qemu_pipe, /sys/class/misc/qemu_pipe, libc_malloc_debug_qemu.so-arm, libqemu_wl.txt, qemu_list.txt - Android Emulator: libEGL_emulation.so - VirtualBox: /sys/module/vboxsf, /ueventd.vbox86.rc - Nox: nox-vbox-sf, libnox.so, libnb.so - Droid4X: /system/droid4x, droid4x-vbox-sf - TiantianVM: libEGL_tiantianVM.so, ttVM-vbox-sf - BlueStacks: superuser.daemon, vboxsf.ko - AndroVM: androVM-vbox-sf - Yiwan: yiwan-prop, yiwan-sf
Implement kernel-level syscall hook detection for KernelSU by comparing faccessat (hooked by KSU) vs fchownat (not hooked) execution timing. Detection algorithm: - Bind thread to big core for stable measurements - Collect 10000 timing samples for both faccessat and fchownat - Use hardware counter (CNTVCT_EL0) on ARM64 for nanosecond precision - Sort both arrays to reduce noise and outliers - Compare element-by-element: count cases where faccessat > fchownat + 1 - If anomaly rate exceeds 70% (7000/10000), KernelSU hook detected Key design decisions: - Both syscalls use dirfd=-1 (invalid fd) to ensure symmetric kernel failure paths; using AT_FDCWD would cause faccessat to enter deeper kernel code (path resolution + page fault) leading to false positives - faccessat chosen because it is in KSU hook list, is simple, fast, and failure has no side effects Files changed: - syscall_wrapper.h: core detection functions (counter, CPU binding, sample collection, comparison, threshold check) - native-lib.cpp: JNI bindings for ksuSideChannelCheck/Detected - NativeDetector.java: native method declarations - SideChannelDetector.java: Java detection item integration
Micro-Learning Topic: Timing attack (Detected by phrase)Matched on "timing attack"This vulnerability manifests when the difference in response times from a given process can expose sensitive information or change the flow of a given process. For example, in a semi-controlled environment (where response times should be even under regular circumstances) this could be used to identify whether or not certain data is present in a given data storage. Try a challenge in Secure Code Warrior |
Author
|
如果作者希望整合我之前的 9 个 PR,可以直接合并当前这个分支的 PR;该分支已经包含并整合了那 9 个 PR 的全部变更。 |
ZnDong
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.