Xposed

Android Xposed¶

Note

Whenever a module is enabled or disabled, you must perform a soft reboot from the Xposed app. This is required because Xposed forks the first process spawned on boot (zygote) to facilitate runtime hooking.

Creating a new Hook¶

Source

Open Android Studio and Create a New project
Select No activity
Change Name and save location
Set API level (Can set to API 23)

Set App build.gradle:

//[...]

repositories {
    jcenter()
}

dependencies {


    // Xposed Framework API dependencies
    compileOnly 'de.robv.android.xposed:api:82'
    compileOnly 'de.robv.android.xposed:api:82:sources'
}

Set manifest.xml:

<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.test.app.hook">

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme" >

        <meta-data
            android:name="xposedmodule"
            android:value="true" />
        <meta-data
            android:name="xposeddescription"
            android:value="Hook for Application" />
        <meta-data
            android:name="xposedminversion"
            android:value="53" />
    </application>
</manifest>

Create a new Class
Create a directory called assets in app/src/main
Create a new text document called xposed_init in app/src/main/assets
Set this as the Class that you want to run.
- For Example I will use com.test.app.hook.MainHook

Example Class:

package com.example.app.hook;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

public class MainHook implements IXposedHookLoadPackage {
    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {
        XposedBridge.log("Loaded app: " + lpparam.packageName);
    }
}

Edit Build Settings and change General -> Launch Options -> Launch -> Nothing

Versions¶

There are different types of Exposed Frameworks for different versions of the Android Versions

Edxposed:
- Supports Android 8 - 10
- Has two different versions
- YAHFA Supports (Android 5 - 9)
- More stable
- SandHook Supports (Android 4.4 - 10.0)
- Faster

Riru:
- Rooted Android 6.0+ devices

Epic:
https://github.com/tiann/epic

Original Exposed:
Only works until Android 7. Download from

VirtualExposed
- Runs in a Docker like container on the android device. This allows Xposed to run without root permissions

TaiChi:
- Is in Chinese
- Supports Android 5 - 10
- Can be used in unrooted phone
- Reinstalls the APK
- This modifies the APK and might trigger protections that prevent resigning
- Only Hooks the single app
- Cant seem to reinstall App

Examples¶

More Examples

Example Xposed Hook:

package de.robv.android.xposed.mods.tutorial;
 
import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import android.graphics.Color;
import android.widget.TextView;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
 
 
public class Tutorial implements IXposedHookLoadPackage {

    //Is loaded when each app starts
    public void handleLoadPackage(final LoadPackageParam lpparam) throws Throwable {

        //Only Hook the com.android.systemui application
        if (!lpparam.packageName.equals("com.android.systemui"))
            return;
 
        //Change the behavor of the specified function with no arguments
        findAndHookMethod("com.android.systemui.statusbar.policy.Clock", lpparam.classLoader, "updateClock", new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                TextView tv = (TextView) param.thisObject;
                String text = tv.getText().toString();
                tv.setText(text + " :)");
                tv.setTextColor(Color.RED);
            }
        });
    }
}

findAndHookMethod("javax.net.ssl.HttpsURLConnection", lpparam.classLoader, "setDefaultHostnameVerifier",
                    HostnameVerifier.class, new XC_MethodReplacement() {
    
    //Replace the Method with your own 
    @Override
    protected Object replaceHookedMethod(MethodHookParam param) throws Throwable {
        return null;
    }
});

Once the hook is written, the project needs to be compiled into a signed APK and installed on the device (e.g., via "adb install").

How to detect¶

Detecting Frida

Like all hooking frameworks it introduces libraries into the application which can be checked by the application.

>>> cat /proc/25344/maps
[...]
7088470000-7088471000 ---p 00000000 00:00 0 
7088471000-7088574000 rw-p 00000000 00:00 0                              [stack:25356]
7088574000-7088576000 r--p 00000000 fd:00 1374148                        /data/user_de/0/com.example.android.dev/cache/sandhook/zygote64/hookers/oat/arm64/SandHookerNew_11kmfuj3mo4jprq7n6o7upu921.odex
7088576000-7088577000 rw-p 00000000 00:00 0                              [anon:.bss]
7088577000-7088578000 r--p 00002000 fd:00 1374148                        /data/user_de/0/com.example.android.dev/cache/sandhook/zygote64/hookers/oat/arm64/SandHookerNew_11kmfuj3mo4jprq7n6o7upu921.odex
7088578000-7088579000 rw-p 00003000 fd:00 1374148                        /data/user_de/0/com.example.android.dev/cache/sandhook/zygote64/hookers/oat/arm64/SandHookerNew_11kmfuj3mo4jprq7n6o7upu921.odex
7088597000-7088598000 ---p 00000000 00:00 0                              [anon:thread stack guard page]
7088598000-7088599000 ---p 00000000 00:00 0 
7088599000-7088694000 rw-p 00000000 00:00 0                              [stack:25350]
7088694000-7088695000 ---p 00000000 00:04 716818                         /dev/ashmem/dalvik-Jit thread pool worker thread 0 (deleted)
7088695000-7088696000 ---p 00001000 00:04 716818                         /dev/ashmem/dalvik-Jit thread pool worker thread 0 (deleted)
7088696000-7088795000 rw-p 00002000 00:04 716818                         /dev/ashmem/dalvik-Jit thread pool worker thread 0 (deleted)
7088795000-70887a4000 r--p 00000000 fd:00 384296                         /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.odex
70887a4000-70887ba000 rw-p 00000000 00:00 0                              [anon:.bss]
70887ba000-70887bb000 r--p 0000f000 fd:00 384296                         /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.odex
70887bb000-70887bc000 rw-p 00010000 fd:00 384296                         /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.odex
70887cf000-70887ef000 rw-p 00000000 00:04 717205                         /dev/ashmem/dalvik-CompilerMetadata (deleted)
70887ef000-7088b8b000 r--s 00000000 fd:00 384297                         /data/app/com.example.app.hook-bhwKIYXEajXaMa-RA4pkcA==/oat/arm64/base.vdex
7088b8b000-7088bd5000 r-xp 00000000 fd:00 245306                         /system/lib64/libsandhook.edxp.so
7088bd5000-7088be5000 ---p 00000000 00:00 0 
7088be5000-7088be8000 r--p 0004a000 fd:00 245306                         /system/lib64/libsandhook.edxp.so
7088be8000-7088be9000 rw-p 0004d000 fd:00 245306                         /system/lib64/libsandhook.edxp.so
[...]

How Snapchat detects Xposed

Virtual Exposed¶

The Virtual Environment sometimes screws up the application flow and may introduce some errors

Installing the VirtualExposed App¶

Download the VirtualExposed App
Install the VirtualExposed APK though adb
Launch the VirtualExposed Application and enable Xposed through the Xposed installer in the VirtualExposed Application.

Install the Target Application or Xposed Module¶

On the VirtualExposed Home Screen click on either the virtual application button in the bottom middle on the screen
Push the target APK to the device
Click Add App
Choose the internal storage and select app
Click Install
Choose VirtualExposed
It will take a long time to install.