此文章只为学习而生,请勿干违法违禁之事,本公众号只在技术的学习上做以分享,此文章仅做技术分享,所有行为与本公众号无关。
sdfd
01
正向检测
01
android.net.ConnectivityManager Wifi代理
import android.content.Context;import android.net.ConnectivityManager;import android.net.NetworkInfo;import android.net.wifi.WifiInfo;import android.net.wifi.WifiManager;import android.net.ProxyInfo;import android.net.LinkProperties;import android.net.Network;publicclassWifiProxyChecker {publicstaticbooleanisWifiProxyEnabled(Context context) {ConnectivityManagerconnectivityManager= (ConnectivityManager) context.getSystemService(Context.CONNECTIVITY_SERVICE);if (connectivityManager != null) {NetworkInfonetworkInfo= connectivityManager.getActiveNetworkInfo();if (networkInfo != null && networkInfo.isConnected() && networkInfo.getType() == ConnectivityManager.TYPE_WIFI) {Networknetwork= connectivityManager.getActiveNetwork();LinkPropertieslinkProperties= connectivityManager.getLinkProperties(network);if (linkProperties != null) {ProxyInfoproxyInfo= linkProperties.getHttpProxy();if (proxyInfo != null && !proxyInfo.getHost().isEmpty()) {returntrue; // 代理已启用}}}}returnfalse; // 代理未启用}publicstaticvoidmain(String[] args) {// 示例用法Contextcontext= getApplicationContext(); // 获取Context对象if (isWifiProxyEnabled(context)) {System.out.println("WiFi代理已启用");} else {System.out.println("WiFi代理未启用");}}}
02
java.lang.System Wifi代理
publicclassProxyChecker {publicstaticbooleanisHttpProxyEnabled() {// 获取 http.proxyHost 系统属性String proxyHost = System.getProperty("http.proxyHost");// 获取 http.proxyPort 系统属性String proxyPort = System.getProperty("http.proxyPort");// 如果 proxyHost 不为空且 proxyPort 不为空,则认为代理已启用if (proxyHost != null && !proxyHost.isEmpty() && proxyPort != null && !proxyPort.isEmpty()) {returntrue;}returnfalse;}publicstaticvoidmain(String[] args) {if (isHttpProxyEnabled()) {System.out.println("HTTP 代理已启用");System.out.println("代理主机: " + System.getProperty("http.proxyHost"));System.out.println("代理端口: " + System.getProperty("http.proxyPort"));} else {System.out.println("HTTP 代理未启用");}}}
03
android.net.ConnectivityManager VPN
import android.content.Context;import android.net.ConnectivityManager;import android.net.NetworkInfo;publicclassVpnDetector {publicstaticbooleanisVpnEnabled(Context context) {// 获取 ConnectivityManager 实例ConnectivityManager connectivityManager = (ConnectivityManager) context.getSystemService(Context.CONNECTIVITY_SERVICE);if (connectivityManager == null) {returnfalse;}// 获取 VPN 类型的 NetworkInfoNetworkInfo vpnNetworkInfo = connectivityManager.getNetworkInfo(ConnectivityManager.TYPE_VPN);if (vpnNetworkInfo == null) {returnfalse;}// 检查 VPN 是否已连接return vpnNetworkInfo.isConnectedOrConnecting();}publicstaticvoidmain(String[] args) {// 示例用法Context context = getApplicationContext(); // 获取 Context 对象if (isVpnEnabled(context)) {System.out.println("VPN 已启用");} else {System.out.println("VPN 未启用");}}}
04
android.net.NetworkCapabilities VPN
import android.content.Context;import android.net.ConnectivityManager;import android.net.Network;import android.net.NetworkCapabilities;publicclassVpnDetector {publicstaticbooleanisVpnEnabled(Context context) {ConnectivityManagerconnectivityManager= (ConnectivityManager) context.getSystemService(Context.CONNECTIVITY_SERVICE);if (connectivityManager == null) {returnfalse;}NetworkactiveNetwork= connectivityManager.getActiveNetwork();if (activeNetwork == null) {returnfalse;}NetworkCapabilitiesnetworkCapabilities= connectivityManager.getNetworkCapabilities(activeNetwork);return networkCapabilities != null && networkCapabilities.hasTransport(NetworkCapabilities.TRANSPORT_VPN);}publicstaticvoidmain(String[] args) {Contextcontext= getApplicationContext(); // 获取 Context 对象if (isVpnEnabled(context)) {System.out.println("VPN 已启用");} else {System.out.println("VPN 未启用");}}}
02
hook脚本
functionwifi1_proxy_bypass(){Java.perform(()=>{var systemCls = Java.use('java.lang.System');systemCls.getProperty.overload('java.lang.String').implementation = function (val) {var ret = this.getProperty(val);if (val == "http.proxyHost") {return""}if (val == "http.proxyPort") {return"-1"// 这里改""/"0"/"-1",我这里留的-1是之前金融项目好几家都是-1}return ret}})}functionwifi2_proxy_bypass(){Java.perform(function () {varConnectivityManager = Java.use('android.net.ConnectivityManager');ConnectivityManager.getLinkProperties.implementation = function (network) {var linkProperties = this.getLinkProperties(network);if (linkProperties) {varProxyInfo = Java.use('android.net.ProxyInfo');var proxyInfo = ProxyInfo.$new(null, null, 0);linkProperties.setHttpProxy(proxyInfo);}return linkProperties;};});}functionvpn1_bypass(){Java.perform(()=>{varConnectivityManager = Java.use('android.net.ConnectivityManager');ConnectivityManager.getNetworkInfo.overload('int').implementation = function (networkType) {var result = this.getNetworkInfo(networkType);if (networkType === ConnectivityManager.TYPE_VPN.value) {returnnull;}return result;};})}functionvpn2_bypass() {Java.perform(() => {// 获取 NetworkCapabilities 类varNetworkCapabilities = Java.use('android.net.NetworkCapabilities');// Hook hasTransport 方法NetworkCapabilities.hasTransport.overload('int').implementation = function (transportType) {// 如果检测到 TRANSPORT_VPN,返回 falseif (transportType === NetworkCapabilities.TRANSPORT_VPN.value) {console.log("[*] VPN 检测被绕过");returnfalse;}// 否则调用原始方法returnthis.hasTransport(transportType);};console.log("[*] NetworkCapabilities.hasTransport 已 Hook");});}functionbypass_proxy_main(){wifi1_proxy_bypass() // wifi1+vpn1这两个组合居多,如果不行开wifi2和vpn2测试// wifi2_proxy_bypass()vpn1_bypass()// vpn2_bypass()}setImmediate(bypass_proxy_main)
原文始发于微信公众号(卫界安全-阿呆攻防):APP渗透|Frida过VPN和代理检测
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论