This document discusses the Xposed Framework, which allows modifying and hooking into system level Android apps. It covers how the Zygote process works in Android to launch new processes, and how Xposed hooks into this by intercepting calls to the ZygoteInit class. It then provides an overview of how to create an Xposed module to hook into and modify another app, using the System Clock app as an example.

1. Android Hook -
Xposed Framework
[Android Penetration Testing] Elven
2016/06

2. Who am I?
• Elven Liu
•
•
•
•
• HITCON GIRLS [Android Penetration Testing]
• liuelven@gmail.com
• www.linkedin.com/in/liu-elven

3. Outline
• Zygote
• Xposed Framework
•
• Hook System Clock

4. Zygote

5. Zygote
•
• =
• zygote system/bin/app_process
• Android
Zygote

6. Activity
Service
New
Activity
Process
Accept Socket
Connection
Select fd
Read Argument
Parse Argument
Fork() a app_process
Zygote
Socket
fork()
Android

7. Activity
Service
New
Activity
Process
Accept Socket
Connection
Select fd
Read Argument
Parse Argument
Fork() a app_process
Zygote
Fork()

8. Xposed
Framework

9. • rovo89, Tungstwenty
• Source: https://github.com/rovo89
• Module Repository: http://repo.xposed.info/
• systemui,
systemserver…….

10. • XposedBridge API xposed framework Java
Jar Package
• XposeInstall Xposed APP
• Xposed: xposed app_process /system/
bin/ app_process .orig

11. WARNING ROM Xposed
Xposed Recovery

12. Activity
Service
New
Activity
Process
Accept Socket
Connection
Select fd
Read Argument
Parse Argument
Fork() a app_process
Zygote
com.android.internal.os.ZygoteInit

13. Activity
Service
New
Activity
Process
Accept Socket
Connection
Select fd
Read Argument
Parse Argument
Fork() a app_process
Zygote
de.robv.android.xposed.XposedBridge

14. Activity
Service
New
Activity
Process
Accept Socket
Connection
Select fd
Read Argument
Parse Argument
Fork() a app_process
Zygote
de.robv.android.xposed.XposedBridge
Input

16. Android
Xposed
Installer APK (4.0)
URL: http://repo.xposed.info/
module/
Xposed
Bridge API (54)
URL: http://forum.xda-developers.com/
xposed/xposed-api-changelog-developer-
news-t2714067

17. Hook
Static Analysis
Hook
Find Target APK

18. Find Target APK
Static Analysis
reset
Decompiler apk
Find Target
*package Name
*class
*function
Create a Project
Import xposed api
write java code
Root
Hook Success
exposed install

19. Hook
System Clock
https://github.com/rovo89/XposedBridge/
wiki/Development-tutorial

20. Create a Project

21. build.gradle
1
2
3

23. AndroidManifest.xml
<meta-data
android:name="xposedmodule"
android:value="true"/>
<meta-data
android:name="xposeddescription"
android:value="Hooking Module for Clock" />
<meta-data
android:name="xposedminversion"
android:value="54" />

24. assets

25. create java class
• Xposed API
• http://api.xposed.info/reference/de/robv/android/
xposed/
XC_MethodHook.MethodHookParam.html

26. Demo