Xposed Source Code Analysis--Overview

Xposed is a tool with the name Cydia, which allows Android devices to modify the API run results in the system without modifying the source code. We often call it: God mode.

Before sharing the foundation of Xposed, the role of xposed and the simplest usage. So, how does its principle and its internal structure make up? Below, we take a look at GitHub, rovo89 how the Great God is made.

Rovo89 's github address: https://github.com/rovo89

On the homepage we see that xposed is actually composed of three items, as shown;

The three differences are:

Project	Description
Xposed	Native part of the xposed framework (mainly modified app_process binaries)
Xposedinstaller	Xposed Framework for Android-side local management, environment architecture, and third-party module resource download tools.
Xposedbridge	Xposed APIs for developers and corresponding tool class libraries

The composition of the Xposedinstaller

The Xposed project makes us the most commonly used project, and of course, he is also the core part of the tectonic xposed. (Perhaps you would say that the xposed project is actually more important, it is mainly replacing app_process,ok we say it later).

As shown, this is the interface we saw in Xposedinstaller apk to install the xposed framework.

Installerfragment We were able to find the install method in which the main thing was to replace the system's App_process file with the custom app_process file in a different way.

    /** * xposed Install * @return installation successfully returns TRUE, otherwise false */    PrivateBooleanInstall() {//Get the installation method, write directly or use recovery to installFinalintInstallMode = Getinstallmode ();//Check get root permission        if(!startshell ())return false; list<string> messages =NewLinkedlist<string> (); Boolean Showalert =true;Try{Messages.add (getString (R.string. Sdcard_location, Xposedapp.getinstance (). Getexternalfilesdir (NULL))); Messages.add (""); Messages.add (GetString (R.string. file_copying,"Xposed-disabler-recovery.zip"));//Copy the Xposed-disabler-recovery.zip file from asset to SDcard            if(Assetutil.writeassettosdcardfile ("Xposed-disabler-recovery.zip",00644) ==NULL) {Messages.add (""); Messages.add (GetString (R.string. file_extract_failed,"Xposed-disabler-recovery.zip"));return false; }//app_process the compiled binary file from the Asset folder, copy to/data/data/de.robv.android.xposed.installer/bin/app_processFile appprocessfile = Assetutil.writeassettofile (App_process_name,NewFile (Xposedapp.base_dir +"Bin/app_process"),00700);if(Appprocessfile = =NULL) {Showalert (getString (R.string. file_extract_failed,"App_process"));return false; }if(InstallMode = = install_mode_normal) {//Normal installation mode                //re-mount/system to RW modeMessages.add (GetString (R.string. file_mounting_writable,"/system"));if(Mrootutil.executewithbusybox ("Mount-o Remount,rw/system", messages)! =0) {Messages.add (getString (R.string. file_mount_writable_failed,"/system")); Messages.add (GetString (R.string. file_trying_to_continue)); }//See if the original App_process file has been backed up, and if there is no backup, now back up the original app_process file                if(NewFile ("/system/bin/app_process.orig"). Exists ()) {Messages.add (getString (R.string. File_backup_already_exists,"/system/bin/app_process.orig")); }Else{if(Mrootutil.executewithbusybox ("Cp-a/system/bin/app_process/system/bin/app_process.orig", messages)! =0) {Messages.add (""); Messages.add (GetString (R.string. file_backup_failed,"/system/bin/app_process"));return false; }Else{Messages.add (getString (R.string. file_backup_successful,"/system/bin/app_process.orig")); } mrootutil.executewithbusybox ("Sync", messages); }//To overwrite the app_process of the system with the custom app_process file copy in the project, modify the permissionsMessages.add (GetString (R.string. file_copying,"App_process"));if(Mrootutil.executewithbusybox ("Cp-a"+ Appprocessfile.getabsolutepath () +"/system/bin/app_process", messages)! =0) {Messages.add (""); Messages.add (GetString (R.string. file_copy_failed,"App_process","/system/bin"));return false; }if(Mrootutil.executewithbusybox ("chmod 755/system/bin/app_process", messages)! =0) {Messages.add (""); Messages.add (GetString (R.string. file_set_perms_failed,"/system/bin/app_process"));return false; }if(Mrootutil.executewithbusybox ("Chown root:shell/system/bin/app_process", messages)! =0) {Messages.add (""); Messages.add (GetString (R.string. file_set_owner_failed,"/system/bin/app_process"));return false; }            }Else if(InstallMode = = Install_mode_recovery_auto) {//Automatic entry into recovery                if(!prepareautoflash (Messages,"Xposed-installer-recovery.zip"))return false; }Else if(InstallMode = = install_mode_recovery_manual) {//Manual entry to recovery                if(!preparemanualflash (Messages,"Xposed-installer-recovery.zip"))return false; } File blocker =NewFile (Xposedapp.base_dir +"Conf/disabled");if(Blocker.exists ()) {Messages.add (getString (R.string. File_removing, Blocker.getabsolutepath ()));if(Mrootutil.executewithbusybox ("RM"+ Blocker.getabsolutepath (), messages)! =0) {Messages.add (""); Messages.add (GetString (R.string. file_remove_failed, Blocker.getabsolutepath ()));return false; }            }//Copy Xposedbridge.jarMessages.add (GetString (R.string. file_copying,"Xposedbridge.jar")); File jarfile = Assetutil.writeassettofile ("Xposedbridge.jar",NewFile (jar_path_newversion),00644);if(Jarfile = =NULL) {Messages.add (""); Messages.add (GetString (R.string. file_extract_failed,"Xposedbridge.jar"));return false; } mrootutil.executewithbusybox ("Sync", messages); Showalert =false; Messages.add ("");if(InstallMode = = install_mode_normal)            {offerreboot (messages); }Else{Offerreboottorecovery (Messages,"Xposed-installer-recovery.zip", InstallMode); }return true; }finally{//delete BusyBox Tool LibraryAssetutil.removebusybox ();if(Showalert) Showalert (textutils.Join("\ n", messages). Trim ()); }    }

OK, we finished reading the code and found that all the work was done to replace the app_process file. So, what does this app_process in the system do? Why do we need to replace? What's the replacement? How does it help us to replace it?

xposed principle

We can see the init.rc file in the source code of Android

service zygote /system/bin/app_process -Xzygote /system/bin –zygote –start-system-serversocket666writewriteononrestart restart mediaonrestart restart netd

App_process is the Andriod app launcher (specifically Zygote fork () calls a app_process as a carrier for Android apps)

Xposed implementation of the scheme

The different processes for hooks can be divided into global hooks and a single application process hook, we know that in Android, the application process is hatched by the zygote process, and the zygote process is initiated by the INIT process.

The zygote process creates a Dalvik virtual machine instance at startup, and whenever it hatches a new application process, it copies the Dalvik virtual machine instance into the new application process, allowing each application process to have a separate Dalvik virtual machine instance. So if you choose to hook the zygote process, you can reach all the application process hooks on the system, i.e. a global hook. As shown in the following:

/*
* @author Zhoushengtao (Zhou San)
* @since August 18, 2015 19:41:32
* @weixin stchou_zst
* @blog http://blog.csdn.net/yzzst
* @ Exchange Learning QQ Group: 341989536
* @ Private qq:445914891
/

Copyright NOTICE: Reprint please mark: Http://blog.csdn.net/yzzst. This article for Bo Master original article, without Bo Master permission not reproduced.

Xposed Source Code Analysis--Overview