AntiDebugandMemoryDump
Anti-Debug and Anti-Memory Dump for Android
Some known techniques for anti-debug and anti-memory dump have been used in this project. The focus is to use these techniques in a stealthy way without relying on Java APIs.
Following are the techniques used
Anti-Debug for Java
Presence of JDWP in /proc/self/task/comm and in each of task /proc/self/task//comm is an indication that app is debuggable.
Anti-Debug for Native
Check for TracerPid != 0 in /proc/self/status and in each of task /proc/self/task//status
Anti-Memorydump
Anti-Memory dump is useful to protect the app from memory dumping via frida or Gameguardian or any other means. inotify watch of the following files
- /proc/self/maps
- /proc/self/mem
- /proc/self/pagemap
- /proc/self/task//mem
- /proc/self/task//pagemap
Any attempts to access or open these files is an indication of access to the memory. If you use the techniques in DetectFrida, inotify will be triggered. There is no way to filter if the access is by the same process or a different process. fanotify addresses the problem wherein it provides the pid of the process accessing the file. But seccomp filter in Android O filters restricts the usage by normal apps.
Bonus
Just listening on file opening of /proc/self/maps makes it a candidate for Anti-Frida. Just that it is mutually exclusive with other anti-frida techniques relying on the /proc/self/maps.