Link to this headingAndroid Xposed

Installation

Link to this headingCreating a new Hook

Source

  1. Open Android Studio and Create a New project
  2. Select No activity
  3. Change Name and save location
  4. Set API level (Can set to API 23)

Set App build.gradle:

//[...] repositories { jcenter() } dependencies { // Xposed Framework API dependencies compileOnly 'de.robv.android.xposed:api:82' compileOnly 'de.robv.android.xposed:api:82:sources' }

Set manifest.xml:

<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.test.app.hook"> <application android:allowBackup="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/AppTheme" > <meta-data android:name="xposedmodule" android:value="true" /> <meta-data android:name="xposeddescription" android:value="Hook for Application" /> <meta-data android:name="xposedminversion" android:value="53" /> </application> </manifest>
  1. Create a new Class
  2. Create a directory called assets in app/src/main
  3. Create a new text document called xposed_init in app/src/main/assets
  4. Set this as the Class that you want to run.
    • For Example I will use com.test.app.hook.MainHook

Example Class:

package com.example.app.hook; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.callbacks.XC_LoadPackage; public class MainHook implements IXposedHookLoadPackage { @Override public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable { XposedBridge.log("Loaded app: " + lpparam.packageName); } }
  1. Edit Build Settings and change General -> Launch Options -> Launch -> Nothing

Link to this headingVersions

There are different types of Exposed Frameworks for different versions of the Android Versions

Edxposed:

  • Supports Android 8 - 10
  • Has two different versions
    • YAHFA Supports (Android 5 - 9)
      • More stable
    • SandHook Supports (Android 4.4 - 10.0)
      • Faster

Riru:

  • Rooted Android 6.0+ devices

Epic:
Dynamic java method AOP hook for Android(continution of Dexposed on ART), Supporting 5.0~11

Original Exposed:
Only works until Android 7. Download from

VirtualExposed

  • Runs in a Docker like container on the android device. This allows Xposed to run without root permissions

TaiChi:

  • Is in Chinese
  • Supports Android 5 - 10
  • Can be used in unrooted phone
    • Reinstalls the APK
      • This modifies the APK and might trigger protections that prevent resigning
    • Only Hooks the single app
      • Cant seem to reinstall App

Link to this headingExamples

More Examples

Example Xposed Hook:

package de.robv.android.xposed.mods.tutorial; import static de.robv.android.xposed.XposedHelpers.findAndHookMethod; import android.graphics.Color; import android.widget.TextView; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam; public class Tutorial implements IXposedHookLoadPackage { //Is loaded when each app starts public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable { //Only Hook the com.android.systemui application if (!lpparam.packageName.equals("com.android.systemui")) return; //Change the behavor of the specified function with no arguments findAndHookMethod("com.android.systemui.statusbar.policy.Clock", lpparam.classLoader, "updateClock", new XC_MethodHook() { @Override protected void afterHookedMethod(MethodHookParam param) throws Throwable { TextView tv = (TextView) param.thisObject; String text = tv.getText().toString(); tv.setText(text + " :)"); tv.setTextColor(Color.RED); } }); } }
findAndHookMethod("javax.net.ssl.HttpsURLConnection", lpparam.classLoader, "setDefaultHostnameVerifier", HostnameVerifier.class, new XC_MethodReplacement() { //Replace the Method with your own @Override protected Object replaceHookedMethod(MethodHookParam param) throws Throwable { return null; } });

Once the hook is written, the project needs to be compiled into a signed APK and installed on the device (e.g., via “adb install”).

Link to this headingHow to detect

Detecting Frida

Like all hooking frameworks it introduces libraries into the application which can be checked by the application.

>>> cat /proc/25344/maps [...] 7088470000-7088471000 ---p 00000000 00:00 0 7088471000-7088574000 rw-p 00000000 00:00 0 [stack:25356] 7088574000-7088576000 r--p 00000000 fd:00 1374148 /data/user_de/0/com.example.android.dev/cache/sandhook/zygote64/hookers/oat/arm64/SandHookerNew_11kmfuj3mo4jprq7n6o7upu921.odex 7088576000-7088577000 rw-p 00000000 00:00 0 [anon:.bss] 7088577000-7088578000 r--p 00002000 fd:00 1374148 /data/user_de/0/com.example.android.dev/cache/sandhook/zygote64/hookers/oat/arm64/SandHookerNew_11kmfuj3mo4jprq7n6o7upu921.odex 7088578000-7088579000 rw-p 00003000 fd:00 1374148 /data/user_de/0/com.example.android.dev/cache/sandhook/zygote64/hookers/oat/arm64/SandHookerNew_11kmfuj3mo4jprq7n6o7upu921.odex 7088597000-7088598000 ---p 00000000 00:00 0 [anon:thread stack guard page] 7088598000-7088599000 ---p 00000000 00:00 0 7088599000-7088694000 rw-p 00000000 00:00 0 [stack:25350] 7088694000-7088695000 ---p 00000000 00:04 716818 /dev/ashmem/dalvik-Jit thread pool worker thread 0 (deleted) 7088695000-7088696000 ---p 00001000 00:04 716818 /dev/ashmem/dalvik-Jit thread pool worker thread 0 (deleted) 7088696000-7088795000 rw-p 00002000 00:04 716818 /dev/ashmem/dalvik-Jit thread pool worker thread 0 (deleted) 7088795000-70887a4000 r--p 00000000 fd:00 384296 /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.odex 70887a4000-70887ba000 rw-p 00000000 00:00 0 [anon:.bss] 70887ba000-70887bb000 r--p 0000f000 fd:00 384296 /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.odex 70887bb000-70887bc000 rw-p 00010000 fd:00 384296 /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.odex 70887cf000-70887ef000 rw-p 00000000 00:04 717205 /dev/ashmem/dalvik-CompilerMetadata (deleted) 70887ef000-7088b8b000 r--s 00000000 fd:00 384297 /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.vdex 7088b8b000-7088bd5000 r-xp 00000000 fd:00 245306 /system/lib64/libsandhook.edxp.so 7088bd5000-7088be5000 ---p 00000000 00:00 0 7088be5000-7088be8000 r--p 0004a000 fd:00 245306 /system/lib64/libsandhook.edxp.so 7088be8000-7088be9000 rw-p 0004d000 fd:00 245306 /system/lib64/libsandhook.edxp.so [...]

How Snapchat detects Xposed

Link to this headingVirtual Exposed

  • The Virtual Environment sometimes screws up the application flow and may introduce some errors

Link to this headingInstalling the VirtualExposed App

  1. Download the VirtualExposed App
  2. Install the VirtualExposed APK though adb
  3. Launch the VirtualExposed Application and enable Xposed through the Xposed installer in the VirtualExposed Application.

Link to this headingInstall the Target Application or Xposed Module

  1. On the VirtualExposed Home Screen click on either the virtual application button in the bottom middle on the screen
  2. Push the target APK to the device
  3. Click Add App
  4. Choose the internal storage and select app
  5. Click Install
  6. Choose VirtualExposed
  7. It will take a long time to install.