84 lines
3.1 KiB
Java
84 lines
3.1 KiB
Java
|
package AudioChecker;
|
||
|
|
||
|
import soot.*;
|
||
|
import soot.jimple.*;
|
||
|
import soot.options.Options;
|
||
|
import java.util.*;
|
||
|
|
||
|
public class AudioInput {
|
||
|
|
||
|
public static void main(String[] args) {
|
||
|
// Soot 初始化和配置
|
||
|
String pathToAndroidJars = "D:\\Android\\Android SDK\\platforms"; // Android JARs 路径
|
||
|
String pathToApk = "C:\\Users\\32082\\Desktop\\soot\\soot-android-static-analysis-master\\apk\\Audio\\飞书.apk"; // APK
|
||
|
// 路径
|
||
|
|
||
|
Options.v().set_src_prec(Options.src_prec_apk);
|
||
|
Options.v().set_android_jars(pathToAndroidJars); // 确保指向正确的 Android 平台库
|
||
|
Options.v().set_process_dir(Collections.singletonList(pathToApk));
|
||
|
Options.v().set_allow_phantom_refs(true); // 允许幻影引用,对于找不到的类
|
||
|
Options.v().set_output_format(Options.output_format_jimple);
|
||
|
|
||
|
Scene.v().loadNecessaryClasses();
|
||
|
|
||
|
// 存储 AudioRecordingCallback 的方法
|
||
|
Map<SootMethod, Body> audioRecordingCallbacks = new HashMap<>();
|
||
|
|
||
|
// 遍历所有类
|
||
|
for (SootClass sootClass : Scene.v().getApplicationClasses()) {
|
||
|
for (SootMethod method : sootClass.getMethods()) {
|
||
|
// System.out.println(method.getName());
|
||
|
if(method.getName()=="registerRecordingCallback")System.out.println("yes");
|
||
|
if (isAudioRecordingCallback(method)) {
|
||
|
try {
|
||
|
Body body = method.retrieveActiveBody();
|
||
|
audioRecordingCallbacks.put(method, body);
|
||
|
} catch (Exception e) {
|
||
|
System.out.println("Error retrieving body for method: " + method.getName());
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
if (audioRecordingCallbacks.size() == 0)
|
||
|
System.out.println("Class AudioRecordingCallbacks doesn't exist.");
|
||
|
else {
|
||
|
// 分析方法体
|
||
|
for (Map.Entry<SootMethod, Body> entry : audioRecordingCallbacks.entrySet()) {
|
||
|
Body body = entry.getValue();
|
||
|
for (Unit unit : body.getUnits()) {
|
||
|
if (unit instanceof IfStmt) {
|
||
|
IfStmt ifStmt = (IfStmt) unit;
|
||
|
Value condition = ifStmt.getCondition();
|
||
|
|
||
|
// 检查条件是否是 isClientSilenced
|
||
|
if (condition.toString().equals("isClientSilenced")) {
|
||
|
|
||
|
// System.out.println("Yeah,We got it!");
|
||
|
Unit nextUnit = body.getUnits().getSuccOf(ifStmt);
|
||
|
// 检查 AudioRecord.startRecording 调用
|
||
|
if (nextUnit instanceof InvokeStmt) {
|
||
|
InvokeExpr invokeExpr = ((InvokeStmt) nextUnit).getInvokeExpr();
|
||
|
if (invokeExpr.getMethod().getName().equals("startRecording")) {
|
||
|
System.out.println("Found target pattern in method: " + entry.getKey().getName());
|
||
|
}
|
||
|
}
|
||
|
} else {
|
||
|
System.out.println("Target pattern doesn't exist.");
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
private static boolean isAudioRecordingCallback(SootMethod method) {
|
||
|
// 根据特定条件判断方法是否为 AudioRecordingCallback
|
||
|
|
||
|
return method.getName().contains("onAudioFocusChange");
|
||
|
// return method.getName().contains("AudioRecordingCallback");
|
||
|
// return method.getSignature().contains("AudioRecordingCallback");
|
||
|
// return method.getSignature().contains("registerRecordingCallback");
|
||
|
// return method.getSignature().contains("startActivity");
|
||
|
}
|
||
|
}
|