In‑Depth Analysis of Xposed Framework Initialization and Hook Mechanism on Android

Background: After installing the Xposed framework , it replaces the app_process binary in /system/bin/ , which is the Android Zygote process. The article uses the implementation of app_process as the main thread to analyze how Xposed works.

Framework analysis starts from the main function. Inside main , the framework first calls initialize to set up the Xposed runtime environment, then calls runtimeStart to launch it.

The initialize function performs three key tasks: it populates members of the XposedShared object, invokes startAll() to start all Xposed services, and adds XposedBridge.jar to the system classpath and the Zygote address space via addJarToClasspath() .

The startAll() implementation (shown in the accompanying image) handles service startup; when SELinux is enabled it allocates memory for Xposed, forks a child process, and in the child calls systemService and appService to register the required services.

The appService code (image) obtains a remote ServiceManager via defaultServiceManager() , creates a BpServiceManager instance, and registers a new service with addService . This service is used for IPC between processes.

Further Android VM startup logic is illustrated with another diagram. Xposed implements its own Runtime (image). The onVmCreated callback enters xposed::onVmCreated , which uses dlopen to load the Xposed shared library (both ART and Dalvik versions), then calls the xposedInitLib entry point. This entry point again invokes an onVmCreated overload, leading to the source file libxposed_art.cpp (image).

In xposedInitLib , the function pointer for onVmCreated is set to onVmCreatedCommon . That common function calls initXposedBridge and initZygoteService to finish initialization. initXposedBridge locates the class CLASS_XPOSED_BRIDGE , creates a global reference, registers its native methods via register_natives_XposedBridge , and obtains the method ID for handleHookedMethod . initZygoteService performs a similar registration for CLASS_ZYGOTE_SERVICE and CLASS_FILE_RESULT .

At this point the framework has registered two services, created several critical classes, and set the ArtMethod fields xposed_callback_class and xposed_callback_method . These fields are later used in the hooked‑method execution path: when InvokeXposedHandleHookedMethod runs, it uses the stored callbacks to invoke handleHookedMethod .

Finally, the article provides practical installation instructions. It notes that the official Xposed installation guide requires flashing for Android 5.0+. For developers with an Android‑based board that can boot from an SD card, a manual installation method is outlined, including commands such as linking /system , extracting the package, copying the flash script, modifying it, and running the install steps. Screenshots illustrate each step and the successful result.