An introduction to how Xposed framework functions and how to go about writing Xposed modules. session presented during Null / Garage4Hackers / OWASP combined meet on 12 Dec 2015 @Bangalore

1. XPOSED INTERNALS
What — Why — How — Examples — How-to — Demo

2. /usr/bin/whoami
~Security enthusiast
~Hobby programmer
~Python lover
~In search of the truth ! — Can be ignored :)

3. Std. Android Boot-up
• DADDY SPACE
# include Boot
Rom
ROM
# include Boot
Loader
Boot Media
# load kernel
# init h/w, drivers
# mount /
Memory
USER SPACE

4. Zygote Time !
• BETA SPACE
# load init.rc
Kernel
# run /system/bin/app_process (C++ exe)
# name the process ZYGOTE
init.rc
# start the DALVIK VM
# start the SYSTEM SERVER
# register SOCKET for Zygote to start apps
# run in Select Loop Mode to actually start
other apps
Zygote

5. Xposed
• What ?
• Why ?
• How ?

6. XPOSED

7. File System Profiling —
• app_process
• XposedBridge.jar
• hookMethodNative() - links argument method to
it’s own native implementation.

9. Interesting Modules
• JustTrustMe - https://github.com/Fuzion24/
JustTrustMe/
• RootCloak- https://github.com/devadvance/
rootcloak
• SQLCipeherHook - https://github.com/jakev/
SqlCipherHook

10. References
• http://elinux.org/Android_Booting
• http://elinux.org/Android_Zygote_Startup
• https://github.com/rovo89/XposedBridge/wiki/Development-tutorial
• http://forum.xda-developers.com/
• https://groups.google.com/forum/#!topic/android-platform/
• http://anatomyofandroid.com/2013/10/15/zygote/
• http://allenlsy.com/android-kernel-3/
• https://raw.githubusercontent.com/android/platform_frameworks_base/
• http://developer.android.com/
• http://stackoverflow.com/
• https://docs.oracle.com/javase/tutorial/reflect/