How Xposed do hooking in Android

Question

I am trying to understand how Xposed do the hooking part and it provides the API's for user to hook any method very easily.

I have gone through the source code of Xposed Bridge , the jar file which resides inside every process whenever it starts. I also found that they are using java reflection to get the class methods , parameters etc to pass it to the Native methods through JNI.

One thing , I am not able to figure out is that how Xposed is hooking the processes and able to get the full control over it.

I am trying to figure out that the hooking take place at the Java side inside the XposedBridge jar file or it takes place at ART level in Native code.

Answer 1

Good question. XPosed works by modifying the app_process file, which is the ART VM and previously the Dalvik VM.

This new modified ART/Dalvik VM will load the XPosedBridge.jar file as well as all the xposed modules that have been registered in the system upon execution. Now, this only happens once because the way Android works is that there's one Java VM that is created from scratch (called Zygote) and then everytime an app starts, this VM is forked for the new app to have its own VM.

Furthermore, this modified ART/Dalvik VM will add a callback after Zygote's fork function to allow it to trigger all the xposed modules code that is intercepting the packageOnLoad event.

Finally, in order to allow it to intercept individual class's methods, the hookMethod functionality in XposedBridge (which is the library you're using when you're creating your xposed modules) will modify the native class struct in the VM that is defined for the particular class you're trying to hook in order to redirect the method pointer for the method you're trying to hook to your new replacement method.