Understanding the Xposed Framework Hook Mechanism on Android

The Xposed framework is an Android‑based framework that enables users to modify system‑level or third‑party APP functionality at runtime by injecting custom code into the Android runtime.

It works by replacing the original /system/bin/app_process with a version that loads XposedBridge.jar from /data/data/de.robv.android.xposed.installer/bin/ during the Zygote startup. The Zygote process forks child processes for each app, and the injected Xposed classes are loaded into every app’s class loader, allowing hooks to be applied globally.

Developers can use the framework to Hook methods; a simple example modifies the Android system clock appearance (RedClock project on GitHub). The example demonstrates how a few lines of code can intercept and change the behavior of existing methods.

The hook workflow begins with handleLoadPackage , which is called for each loaded app. Inside this callback, findAndHookMethod from XposedHelpers locates the target method (e.g., java.net.URLEncoder.encode ) and registers a XC_MethodHook containing beforeHookedMethod and afterHookedMethod . The helper ultimately calls XposedBridge.hookMethod , which creates a native callback list if needed and forwards the request to the native function hookMethodNative defined in libXposed_common.cpp .

Inside the native layer, the macro NATIVE_METHOD maps to XposedBridge_hookMethodNative in libXposed_art.cpp . The function obtains the corresponding ArtMethod object via FromReflectedMethod , creates a backup, sets the kAccXposedOriginalMethod flag, and stores hook information in an XposedHookInfo structure. It then replaces the method’s entry points for both interpreter and compiled code using SetEntryPointFromQuickCompiledCode and SetEntryPointFromInterpreter .

When the hooked method is invoked, execution reaches ArtMethod::Invoke , which dispatches to art_quick_invoke_stub (or the interpreter stub). The stub redirects to a proxy handler ( artQuickProxyInvokeHandler ) that checks whether the current environment is Xposed. If so, it calls InvokeXposedHandleHookedMethod , which retrieves the saved XposedHookInfo and finally invokes XposedBridge.handleHookedMethod in Java. This method runs all before callbacks, calls the original method via invokeOriginalMethodNative , and then runs all after callbacks.

In summary, hooking a method with Xposed involves specifying the target class, method name, and callbacks; the framework locates the corresponding ArtMethod in the ART VM, backs it up, rewrites its entry points, and ensures that every thread sees the modified method while preserving the ability to call the original implementation.