Introduction to Xposed Framework and Runtime Hooking

The Xposed Framework is a powerful tool for Android developers and reverse engineers, enabling the modification of system and application behavior at runtime without touching any APKs. Unlike traditional methods that require decompiling, modifying, and recompiling an application, Xposed modules inject custom code directly into processes. This allows for unparalleled flexibility in customizing Android, implementing security features, or even for software reverse engineering tasks. This guide will walk you through setting up a complete Xposed development environment and developing your first module, taking you from a rooted device to mastering runtime hooking.

Prerequisites for Xposed Module Development

Before diving into Xposed module development, ensure you have the following:

• A rooted Android device or emulator: Xposed requires root access to function. We recommend a physical device for a more realistic testing environment, but an emulator with root access (like an AVD in Android Studio with Google APIs and `root` access enabled) can also work.
• Android Studio: The official IDE for Android development.
• Basic knowledge of Java/Kotlin and Android application structure.
• adb (Android Debug Bridge) installed and configured on your system.

Setting Up Your Android Development Environment

First, ensure your Android development environment is ready.

1. Install Android Studio

If you haven’t already, download and install Android Studio. Follow the on-screen instructions to set up the necessary SDK components.

2. Configure a Rooted Device or Emulator

Physical Device:

Rooting an Android device is a device-specific process, typically involving unlocking the bootloader and flashing a custom recovery (like TWRP), then installing a root solution like Magisk. This guide assumes your device is already rooted. Verify root access using a ‘Root Checker’ app from the Play Store or by running adb shell su -c id which should return uid=0(root).

Emulator:

When creating a new Android Virtual Device (AVD) in Android Studio, select an image with Google APIs. Once the emulator is running, you can often gain root by:

1. Restarting the emulator with writable system:

   emulator -avd YourAVDName -writable-system

2. From your host machine, run:

   adb rootadb disable-verityadb remount

Installing the Xposed Framework

For modern Android versions (Android 8.0+), the original Xposed Framework is no longer maintained. Instead, we use Magisk-based alternatives like LSPosed (recommended) or EdXposed. These work as Magisk modules and rely on Riru.

1. Install Magisk

Ensure Magisk is installed and fully operational on your rooted device. If you’re using an emulator, you might need a pre-rooted emulator image or specific steps to install Magisk.

2. Install Riru (if not already present with LSPosed)

LSPosed requires the Riru module. In the Magisk app, go to “Modules,” tap “Install from storage,” and install the latest Riru ZIP file. Reboot your device.

3. Install LSPosed

Download the latest LSPosed (Zygisk or Riru version, depending on your Magisk setup) ZIP file from its GitHub releases page. In the Magisk app, go to “Modules,” tap “Install from storage,” and select the LSPosed ZIP. After installation, reboot your device.

4. Verify Xposed Installation

After reboot, you should find the LSPosed Manager app in your app drawer. Open it. The main screen should indicate that the framework is active. This confirms your Xposed environment is ready.

Developing Your First Xposed Module

Now, let’s create a simple Xposed module that hooks the `Toast` class to modify messages.

1. Create a New Android Studio Project

Open Android Studio, select “New Project,” choose “Empty Activity,” and name your application (e.g., “MyFirstXposedModule”). Set the minimum SDK to an appropriate version (e.g., API 24: Android 7.0 Nougat).

2. Add Xposed API Dependency

Open your module’s `build.gradle` file and add the Xposed API as a `compileOnly` dependency. This prevents the API from being packaged into your APK, as it’s provided by the Xposed Framework itself at runtime.

dependencies {    implementation 'androidx.appcompat:appcompat:1.6.1'    // ... other dependencies    compileOnly 'de.robv.android.xposed:api:82'    compileOnly 'de.robv.android.xposed:api:82:sources'}

Sync your project with Gradle files.

3. Create `xposed_init` Asset File

In your module’s `src/main` directory, create a new folder named `assets`. Inside `assets`, create a new file named `xposed_init` (no extension). This file must contain the fully qualified name of your main Xposed module class. For example, if your package is `com.example.myfirstxposedmodule` and your main class is `MainHook`, the content of `xposed_init` would be:

com.example.myfirstxposedmodule.MainHook

4. Implement Your Main Hook Class

Create a new Java class (e.g., `MainHook.java`) in your package. This class must implement the `IXposedHookLoadPackage` interface, which has a single method: `handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam)`. This method is called for every loaded package on the system.

package com.example.myfirstxposedmodule;import de.robv.android.xposed.IXposedHookLoadPackage;import de.robv.android.xposed.XC_MethodHook;import de.robv.android.xposed.XposedBridge;import de.robv.android.xposed.callbacks.XC_LoadPackage;import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;public class MainHook implements IXposedHookLoadPackage {    @Override    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {        // Log the package name to see which app is being loaded        XposedBridge.log("Loaded app: " + lpparam.packageName);        // We want to hook the Toast class in Android's framework        // This hook will apply to all apps that use Toast        if (!lpparam.packageName.equals("android")) {            findAndHookMethod(                android.widget.Toast.class,                "makeText",                android.content.Context.class,                CharSequence.class,                int.class,                new XC_MethodHook() {                    @Override                    protected void beforeHookedMethod(MethodHookParam param) throws Throwable {                        // param.args[1] is the CharSequence (message)                        if (param.args[1] != null) {                            String originalMessage = param.args[1].toString();                            XposedBridge.log("Original Toast: " + originalMessage);                            // Modify the toast message                            param.args[1] = "[XPOSED] " + originalMessage + " (Hooked!)";                        }                    }                    @Override                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {                        // You can also inspect or modify the return value here if needed                        // Toast toast = (Toast) param.getResult();                        // toast.setText("Modified after hook!"); // This would change the toast again                    }                }            );        }    }}

5. Modify `AndroidManifest.xml`

Add metadata to your `AndroidManifest.xml` within the “ tag to declare your module to Xposed. Replace `YOUR_MODULE_DESCRIPTION` and `YOUR_API_VERSION` with appropriate values. The API version should match the Xposed API level you’re targeting (e.g., `82` for API 82).

<application    android:allowBackup="true"    android:icon="@mipmap/ic_launcher"    android:label="@string/app_name"    android:roundIcon="@mipmap/ic_launcher_round"    android:supportsRtl="true"    android:theme="@style/Theme.MyFirstXposedModule">    <activity        android:name=".MainActivity"        android:exported="true">        <intent-filter>            <action android:name="android.intent.action.MAIN" />            <category android:name="android.intent.category.LAUNCHER" />        </intent-filter>    </activity>    <!-- Xposed Module Declarations -->    <meta-data        android:name="xposedmodule"        android:value="true" />    <meta-data        android:name="xposeddescription"        android:value="A simple Xposed module that hooks Toast messages." />    <meta-data        android:name="xposedminversion"        android:value="82" /></application>

Building, Deploying, and Activating Your Module

1. Build the APK

In Android Studio, go to `Build` > `Build Bundle(s) / APK(s)` > `Build APK(s)`. This will generate a debug APK in your project’s `app/build/outputs/apk/debug/` directory.

2. Install the APK on Your Device

Copy the generated APK to your rooted device or install it via ADB:

adb install path/to/your/app-debug.apk

3. Activate the Module in LSPosed Manager

Open the LSPosed Manager app on your device. Navigate to the “Modules” section. You should see your “MyFirstXposedModule” listed. Tap on it, and enable the toggle for your module. LSPosed Manager will prompt you to reboot your device for changes to take effect. Confirm and reboot.

4. Test Your Module

After your device reboots, open any application that uses Toast messages (e.g., a browser, or an app that displays