网上说的基本不全,最近有个新加密(F5shape)是控制流加密,解起来比较繁琐,就直接用selenium了,我看到有环境监测,但是没想到有检测selenium…一开始用nodejs写的,但是用nodejs写面向过程的代码真的很难受,又改为python了
打开这个网站就能看到部分检测点 https://bot.sannysoft.com
基本配置
- UA
- 手机版本的话要设置通用手机型号
- 根据这个网页好好配置下https://peter.sh/experiments/chromium-command-line-switches/#enable-print-preview-register-promos
options = webdriver.ChromeOptions()
options.add_argument("--disable-blink-features")
options.add_argument("--disable-blink-features=AutomationControlled")
options.add_argument('--incognito')
options.add_argument("--disable-extensions")
options.add_argument("--disable-infobars")
options.add_argument("--no-default-browser-check")
options.add_experimental_option("excludeSwitches", ["enable-automation"])
options.add_experimental_option("useAutomationExtension", False)
mobileEmulation = {'deviceName': 'iPhone X'}
options.add_experimental_option('mobileEmulation', mobileEmulation)
网上入门就有讲的那堆全局变量
windows.navigator.webdriver 需要改为false
navigator.plugins 插件数量不应该为0
navigator.languages 为英文(但是国外本来就应该是英文)
这些都是小打小闹,弄个提前hook就过去了
driver = webdriver.Chrome(executable_path=path+'/chromedriver.exe',chrome_options=options)
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {
"source": '''
Object.defineProperties(navigator,{ webdriver:{ get: () => false } }) }
window.navigator.chrome = { runtime: {}, }; }
Object.defineProperty(navigator, 'languages', { get: () => ['en-US', 'en'] }); }
Object.defineProperty(navigator, 'plugins', { get: () => [1, 2, 3, 4, 5,6], }); }
'''
})
后来有了新方法,直接导出浏览器的状态生成js
这个跟第二个是一样的,但是比第二个全
with open(path+'/stealth.min.js') as f:
js = f.read()
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {
"source": js
})
stealth.min.js文件获取方法
安装nodejs后运行以下命令,自动生成在根目录
npx extract-stealth-evasions
这时候已经能绕过大部分检测了,包括本文开头那个检测网站
命令通讯检测
这个调了好久,发现只要webdriver跟selenium有通讯,js就检测到了
后来看了webdriver的文档:https://www.w3.org/TR/webdriver
发现她们通讯是通过http的,猜测是在全局变量有缓存
然而浏览器的全局变量就:windows
selenium其实还能当油猴用
with open(path+'/stealth.min.js') as f:
js = f.read()
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {
"source": '''
function objKeySort(obj) {
let newkey = Object.keys(obj).sort();
let resStr = '';
for (let i = 0; i < newkey.length; i++) {
let str = obj[newkey[i]];
console.log(i,newkey[i],str);
resStr += str;
}
}
'''
})
这时候console已经有objKeySort这个方法了
用objKeySort(windows)看一下命令运行前和命令运行后的区别
找到了document这里变了
用Object.keys(window.document)可以看到,命令运行之后多了个$cdc_xxxxxx的key
后来搜了下 在https://stackoverflow.com/questions/33225947/can-a-website-detect-when-you-are-using-selenium-with-chromedriver
可以看到,直接用命令改驱动里面的字符串就行了
perl -pi -e ‘s/cdc_/fuck_/g’ chromedriver.exe
听别人说tb的监测cdc直接在js搜就能搜到,但是我这个是jsvmp,不能搜,只能慢慢调才找出来~
在上面偷了个检测脚本
runBotDetection = function () {
var documentDetectionKeys = [
"__webdriver_evaluate",
"__selenium_evaluate",
"__webdriver_script_function",
"__webdriver_script_func",
"__webdriver_script_fn",
"__fxdriver_evaluate",
"__driver_unwrapped",
"__webdriver_unwrapped",
"__driver_evaluate",
"__selenium_unwrapped",
"__fxdriver_unwrapped",
];
var windowDetectionKeys = [
"_phantom",
"__nightmare",
"_selenium",
"callPhantom",
"callSelenium",
"_Selenium_IDE_Recorder",
];
for (const windowDetectionKey in windowDetectionKeys) {
const windowDetectionKeyValue = windowDetectionKeys[windowDetectionKey];
if (window[windowDetectionKeyValue]) {
return true;
}
};
for (const documentDetectionKey in documentDetectionKeys) {
const documentDetectionKeyValue = documentDetectionKeys[documentDetectionKey];
if (window['document'][documentDetectionKeyValue]) {
return true;
}
};
for (const documentKey in window['document']) {
if (documentKey.match(/\$[a-z]dc_/) && window['document'][documentKey]['cache_']) {
return true;
}
}
if (window['external'] && window['external'].toString() && (window['external'].toString()['indexOf']('Sequentum') != -1)) return true;
if (window['document']['documentElement']['getAttribute']('selenium')) return true;
if (window['document']['documentElement']['getAttribute']('webdriver')) return true;
if (window['document']['documentElement']['getAttribute']('driver')) return true;
return false;
};
|