Introduction to the

Zygote is the parent process of every App. Zygote is the parent process of all apps. So the Zygote process can be used to detect whether the app should be debugged.

Principle of detecting the parent process

Sometimes, instead of using apK additional debugging method to reverse, write a.out executable file directly to load so for debugging, so that the program’s parent process name is not the same as the normal apK parent process name.

The experimental test

1, normal start apK program: the parent process is zygote 2, debug start APK program: in AS use LLDB debug found that the parent process or zygote 3, additional debug APK program: the parent process is Zygote 4, vs remote debug with executable file load so: the parent process named gdbserver

Conclusion: If the parent process name is not Zygote, it is considered as debug state

Code implementation

int CheckApkParents(a)
 { 

/ / set the buf
 char strPpidCmdline[0x100] = {0};
 snprintf(strPpidCmdline, sizeof(strPpidCmdline), "/proc/%d/cmdl ine", getppid()); 
 // Call the open function of the system to open the file
 int file=open(strPpidCmdline,O_RDONLY); if(file<0) 
 { 
     // Failed to open,
     LOGA("CheckApkParents open error! \n");
     return -1;
 }
 
 // Read the contents of the file into memory
 memset(strPpidCmdline,0,sizeof(strPpidCmdline)); 
 // Call the system read function to read memory
 ssize_t ret=read(file,strPpidCmdline,sizeof(strPpidCmdline));
 if(-1==ret) 
 { 
 // Failed to read memory data
     LOGA("CheckApkParents read error! \n");
     return -1; 
 }
 // 0 is not found
 char sRet=strstr(strPpidCmdline,"zygote"); 
 if(NULL==sRet)
 { 
 
 // At this point, judge the debug state
     LOGA("Parent cmdline has no zygote substring! \n");
     return 0; 
 }

 return 1;
 }
 
Copy the code