Skip to content

How does VirtualXposed work

weishu edited this page Sep 18, 2019 · 2 revisions

Project Structure

VirtualXposed is consist of four modules:

  1. All apps run inside VirtualApp - A containter-like library (like docker) that wraps around some android system calls to allows to run apks as plugins inside the original app. Its not free for commercial use though, that requires the purchase of a license.
  2. Uses Epic to actually process xposed hooks - This is an open-source library, actually inspired from xposed itself, for developer to "hook" into their own Java methods in their own apps.
  3. Uses a simple compatibility layer Exposed - Fully open source, Compatibility layer for Xposed, it loads Xposed modules and does some basic services (such as dealing with unsupported feature: initForZygote/resource hooks)
  4. For the UI, uses this Launcher3 - This is a fork of the popular (and open source) Rootless Pixel Launcher, modified for multi-user scenarios

Launcher3 and VirtualApp are project dependencies in VirtualXposed, exposed and epic are depended by aar.

How VirtualApp works?

First, you can read my blog and follow my tutorial: My Blog: http://weishu.me/2016/01/28/understand-plugin-framework-overview My Tutorial: https://github.com/tiann/understand-plugin-framework

These articles tell you how Android Framework works and how Plugin-Framework hooks into system to establish a virtual environment.

If you are familar with Android Framework, you can read the source code of demo.

But sorry, it is fully Chinese, lots of Chinese say it is the best way to understand DroidPlugin/VirtualApp

Then, you can read the VirtyalAppDoc: https://github.com/prife/VirtualAppDoc.

In VirtualXposed, source code of VirtualApp lies in https://github.com/android-hacker/VirtualXposed/tree/vxp/VirtualApp/lib

The structure of VirtualApp:

JNI:

https://github.com/android-hacker/Vi...jni/Foundation and https://github.com/android-hacker/Vi...c/main/jni/Jni :mainly for IO redirect to make app inside VirtualApp access the corret file system, and also, it do some native hooks for special API(for example, Camera must be hook in native, disable JIT, etc..)

https://github.com/android-hacker/Vi...in/jni/HookZz: (removed) This is an inline hook library, it is fully open source, this is the project: https://github.com/jmpews/HookZz

https://github.com/android-hacker/Vi...jni/Substrate: Another inline hook library, it seems to be closed source, but i don't know how the author of VirtualApp get the source code...

https://github.com/android-hacker/Vi...c/main/jni/fb: the JNI framework of facebook.

Java:

https://github.com/android-hacker/Vi...n/java/mirror: the reflection framework of VirtualApp, it is used for use reflection conveniently, it is really elegant.

https://github.com/android-hacker/Vi.../java/android: some hidden API of Android Framework, copy it here for compile.

https://github.com/android-hacker/Vi...irtual/server: the server process of VirtualApp, for example, Android Framework has ActivityManagerService, PackageManagerService, in VirtualApp, there are VActivityManagerService, the procedure of a process to communicate with Android Framework is: Client process -> VitualApp's server process(Virtual System servier) -> Android Framework's system service.

https://github.com/android-hacker/Vi...irtual/client: mainly for hooks in client process(App run inside VirtualApp are all client process); There are four type of process in VirtualApp: 1. Virtual Server process(with hook of AMS & PMS) 2. Virtual client process(with hook of All Android System Service) 3. UI process(a normal process) 4. other process(such as native process)

https://github.com/android-hacker/Vi...dy/virtual/os: the multi-user system of VirtualApp and the some envionment variants, such as directory structure.

https://github.com/android-hacker/Vi...irtual/remote: Parcel data stucture for IPC between Virtual client process and virtual server process.

If you want to read source code of VirtualApp, this class is the best entry: https://github.com/android-hacker/Vi...rtualCore.java.

How Epic works?

You can refer my design procedure of Epic: http://weishu.me/2017/11/23/dexposed-on-art/ The article introduces many way to hook and tells you how epic solve the problems in the past and why epic does it that way.

Sorry for it is Chinese again...

And then, yon can read the paper : https://publications.cispa.saarland/143/ It is strongly recommended to read that!

In fact, Epic was inspired by https://github.com/mar-v-in/ArtHook, you can also read the source code.

How VirtualXposed works?

VirtualXposed loads Xposed Modules in the entry of VirtualApp's client process, and inject the Xposed ClassLoader to that process to make Xposed module can call Xposed API, and epic provides the abilities to hook, That's all.

All this work is done in https://github.com/android-hacker/exposed