This project has 3 ways to detect frida hooking
- Detect through named pipes used by Frida
- Detect through frida specific named thread
- Compare text section in memory with text section in disk for both libc and native library
More details can be found in my blog -> DetectFrida
Also this project has 3 mechanisms to harden the native code
- Replace certain libc calls with syscalls
- Replace string,memory related operation with custom implementation
- Apply O-LLVM native obfuscation
More details can be found in my blog -> Hardening Native Code
arm64, armv7a, x86_64 architectures are supported in this project. The hardened APK is provided for interested reverse engineers to analyze.
- Re-aligned functions
- Fix scanning of executable sections only if it is readable to avoid crashes when app is targetting API 29
- Stripped comment section in native library to prevent APKId detecting O-LLVM obfuscator is used
- Updated Target API to 30
- Updated Obfuscator-LLVM to OLLVM-TLL
- Fixed false positives found in Android 10 and Android 11. Now the memdisk compare checks the PLT and TEXT sections of libc and native library in a proper way
- Memdisk comparison approach is frida agnostic, hence frida specific signature changes does not bypass this detection mechanism.
Henceforth, Please don't raise issue asking for OLLVM binary for Windows. PRs welcome.