Anti-Debug and Anti-Memory Dump for Android
Some known techniques for anti-debug and anti-memory dump have been used in this project. The focus is to use these techniques in a stealthy way without relying on Java APIs.
Following are the techniques used
Presence of JDWP in /proc/self/task/comm and in each of task /proc/self/task//comm is an indication that app is debuggable.
Check for TracerPid != 0 in /proc/self/status and in each of task /proc/self/task//status
Anti-Memory dump is useful to protect the app from memory dumping via frida or Gameguardian or any other means. inotify watch of the following files
- /proc/self/maps
- /proc/self/mem
- /proc/self/pagemap
- /proc/self/task//mem
- /proc/self/task//pagemap
Any attempts to access or open these files is an indication of access to the memory. If you use the techniques in DetectFrida, inotify will be triggered. There is no way to filter if the access is by the same process or a different process. fanotify addresses the problem wherein it provides the pid of the process accessing the file. But seccomp filter in Android O filters restricts the usage by normal apps.
Just listening on file opening of /proc/self/maps makes it a candidate for Anti-Frida. Just that it is mutually exclusive with other anti-frida techniques relying on the /proc/self/maps.