Author: Pei Guangyong

Xposed is a famous open source framework on the Android platform, the author is Rovo89. Xposed can dynamically modify the Android system or application, giving users the ability to DIY system or application. Xposed is mainly composed of two parts, Xposed framework and Xposed module. The Xposed framework provides Java Hook capabilities. Xposed module runs on the Xposed framework, using the Java Hook provided by the Xposed framework to dynamically modify the system or target application.

Xposed open source code website is github.com/rovo89. Xposed code engineering structure as shown below:

Xposed installation needs to replace the system partition file, specifically is to use the modified app_process to replace the Android system partition of the native APP_process (ART virtual machine will also replace libart.so). The left half of the image shows the normal startup process of an Android app; The right half is the installation of Xposed, Andoid application start process.




Rely on root permission to replace the system partition file is Xposed to achieve a path. Is there another implementation path?

Xposed module can run normally in the target application, this is the goal. Through the analysis of Xposed open source code, can summarize the following conclusions. When the target application starts, can control the target application process, establish the Xposed running environment (mainly refers to the Xposed framework), load the Xposed module and start the Xposed module, this is the Xposed module can run normally in the target application of the core logic.

A third-party Android application cannot control the processes of other applications due to permission issues, but any operation within its application does not have permission issues because it is running under the same Linux user. If Android applications can provide a sandbox, double open other Android class applications, at the same time can provide Java Hook ability, you can achieve non-root mobile phone running Xposed, this is technically feasible.

The following specific introduction of the application of double open and Xposed transplant, the first is the overall frame diagram:


1. Use the dual switch

The core principle of dual open application is to use sandbox technology to virtualize an Android system.

The so-called Android virtualization technology is to use Hook technology and sandbox mechanism to simulate an Android system in an Android application. Dual applications run on the Virtualized Android system and are completely isolated from external Android systems.

In order to virtualize an Android system, the first thing to do is to do the following:

  • Application runtime environment construction and initialization

  • Life cycle management of the four components of Android

  • Dual open App transparent communication with Android system

  • IO redirect


2. Xposed transplantation

Xposed framework transplantation involves two parts, one part is the Xposed framework C++ part of the transplantation, specifically Java hook native library (libxposed_ dalvik.so and libxposed_art.so) transplantation; Part of the Xposed framework Java part of the transplant, specifically xposedBridge-jar transplant.

Porting the libxposed_Dalvik.so library is relatively simple. The native code does not need to be modified and can be used directly after compilation. Porting libxposed_art.so is relatively complex because part of its implementation relies on the modified libart.so. Porting libxposed_art.so requires implementing a new Java hook mechanism. Xposedbridge. jar transplant mainly collated for loading the Xposed module and start the Xposed module code.

Currently, there are two main implementations of Java hook in art virtual machine, one is inline hook and the other is virtual machine method replacement.

When loading a class, the ART virtual machine resolves the methods in the class into the ArtMethod structure, which holds the necessary runtime information and the address of the instruction pointer to be executed. These instruction pointer addresses provide conditions for implementing Java hooks.

An Inline Hook is an internal jump Hook that allows a function to jump to its own function by replacing the instruction at the beginning of the function with a jump instruction, often leaving the calling interface of the original function intact. Its disadvantage is that it cannot Hook some functions too short. The following is the principle of inline hook:

Virtual machine method replacement: replace the ArtMethod structure of the original method with the structure of the new method at the native layer, and the instruction of the new method will be executed when the original method is executed. Because the ArtMethod structure parameters are different in different versions, so different versions have different implementation, below is the Android6.0 version of the method replacement example code:




conclusion

Through the analysis from the technical point of view, discussed the root mobile phone, in the Android application run Xposed plug-in technology to achieve the path. In the market, there has been support for the Xposed plug-in running the application of “myclone master X version”, which has been implemented in the dual open application running Xposed plug-in. From the product, non-root mobile phone support Xposed is fully feasible

Scan the QR code and follow the official account. Access to the latest mobile development technology.