FORUMS
Remove All Ads from XDA
H10 Turbo

VirtualXposed Analysis/Module Development Thread

115 posts
Thanks Meter: 206
 
Post Reply Email Thread
This thread is intended as an All-in-one discussion of VirtualXposed (https://forum.xda-developers.com/xpo...nlock-t3760313), how it works, its safety/security issues, what works on it, its limitations and how to develop modules on it.

What is VirtualXposed?

An OPEN-SOURCE Container-like environment for running apks on Android, which allows the use of (some) xposed features without the need for root/xposed/unlocked bootloader etc. If this can be made trustable and stable, it has the potential to bring Xposed mods to a much wider community.

How VirtualXposed works, based on a review of the source code and dev response -
  1. All apps run inside VirtualApp (https://github.com/asLody/VirtualApp) - A containter-like library (like docker) that wraps around some android system calls to allows to run apks as plugins inside the original app. The project is also mostly open-source, but there seem to be some propreitary code blocks as well (such as https://github.com/asLody/VirtualApp...bs/armeabi-v7a). Its not free for commercial use though, that requires the purchase of a license. The dev maintains and independent fork of VirtualApp, without these closed-source blobs. The docs for VirtualApp can be found here - https://github.com/prife/VirtualAppDoc
  2. Uses Epic (https://github.com/tiann/epic) to actually process xposed hooks - This is an open-source library, actually inspired from xposed itself, for developer to "hook" into their own Java methods in their own apps.
  3. Uses a simple compatibility layer Exposed (https://github.com/android-hacker/exposed/ ) - Fully open source, Compatibility layer for Xposed, it loads Xposed modules and does some basic services (such as dealing with unsupported feature: initForZygote/resource hooks)
  4. For the UI, uses this Launcher (https://github.com/android-hacker/Launcher3) - This is a fork of the popular (and open source) Rootless Pixel Launcher, modified for multi-user scenarios
  5. Launcher3 and VirtualApp are project dependencies in VirtualXposed, exposed and epic are depended by aar.

Safety/Security Issues
  1. The app requests a ton of permissions - Seems legit given that it has to emulate all of those APIs. Perhaps these can be changed to runtime permissions?
  2. Possible proprietary blobs (Not sure yet - waiting for dev response) The app is fully open source.
  3. Noone knows in detail how it works - Well, I am starting to get an idea of how it works :P
  4. Virus Scan results - 1 virus detected by VirusTotal. See developer rant - https://github.com/android-hacker/Vi...ment-377295527, I think is a false positive

What works so far -
  1. Hooking into a virtual app's own java functions (hooked using findAndHookMethod())
  2. Hooking into SOME base Android APIs (I tried TextView.setText()) - I have published a working sample here - https://github.com/akhilkedia/VirtualXposedSamplePOC

Limitations of VirtualXposed so far that I know -
  1. Module hooks sometimes work, sometimes dont. I tested AllTrans 5 times, and it only worked once was because of change in Application.onCreate() - see below.
  2. Hooking Application.onCreate and casting it to Application returns and error see below
  3. New modules are seemingly often not changed even after re-installing. Un-installed virtual apps are sometimes detected as still being present by the xposed module (?!)
  4. Cannot hook apks outside of VirtualApp (including possibly SystemUI).
  5. No Resource Hooks
  6. No Google Play Service yet.
  7. Epic library's readme says not supported for arm32, x86_64 and mips device architectures for ART.
  8. Logging to logcat doesnt seem to work. Logging to logcat works. @#$*%$ Android studio log filters.

How to develop modules on it.-
  1. Some utilities for developers (translated wiki page from VirtualXposed) - https://translate.googleusercontent....bMpfzUV70sy_fg I have not tried any of the steps mentioned here. These steps work.
  2. Application.onCreate/attachBaseContext is transformed to ContextWrapper.attachBaseContext
  3. Here is what I am currently doing, which seems to be a more stable way of getting consistent results - Erase application data of VirtualXposed, install xposed module, enable xposed module in xposed installer, force-stop VirtualXposed, start VirtualXposed. If you have enabled an Xposed Module outside of VirtualXposed, it will still affect apps inside it - So its recommended to turn the module off outside.

The original developer seems to not speak perfect English, and the current users are mostly all Chinese.

Note - I intend to keep updating this post as we get more/new information.
@ Forum Moderators - Please feel free to move this thread if this is not the correct forum for it.

Edits - updated with more information from dev.
The Following 10 Users Say Thank You to akhilkedia94 For This Useful Post: [ View ] Gift akhilkedia94 Ad-Free
 
 
7th June 2018, 02:07 PM |#2  
akhilkedia94's Avatar
OP Senior Member
Flag Seoul
Thanks Meter: 206
 
Donate to Me
More
*reserved*
7th June 2018, 02:42 PM |#3  
weishu's Avatar
Junior Member
Flag Beijing
Thanks Meter: 357
 
More
Hi, akhilkedia94, Thank you for your hard work

I am the maintainer of VirtualXposed, sorry for my poor English. I will try to translate all the wiki and documents to English, If the translation is not good, please let me know

And there are some facts that need clarification:

1. https://github.com/asLody/VirtualApp...bs/armeabi-v7a this library is a map/location library provided by Tencent, But i have remove it in VirtualXposed, it only exist in VirtualApp.
2. hook of Application.onCreate/attachBaseContext is transformed to ContextWrapper.attachBaseContext.
3. VirtualXposed is more stable on Android 8.0 than before ( i didn't update the document in time, sorry

VirtualXposed is consist of four modules:
1. https://github.com/asLody/VirtualApp provides the ability of container(works like docker, not virtual machine); It is closed source from 2017/12/31. I maintain a standalone branch in VirtualXposed. VitualApp also have a inline hook module, which can hook native methods.
2. https://github.com/tiann/epic provides the ability of Hook Java Method.
3. https://github.com/android-hacker/exposed is the compatibility layer of Xposed, it loads Xposed modules and do some clutter things(such as dealing with unsupported feature: initForZygote/resource hooks)
4. https://github.com/android-hacker/Launcher3 is the UI, it is modified for multi-user in VirtualXposed.

Launcher3 and VirtualApp are project dependencies in VirtualXposed, exposed and epic are depended by aar.

Welcome to any questions, Although I may be hard to explain it clearly : )
The Following 8 Users Say Thank You to weishu For This Useful Post: [ View ] Gift weishu Ad-Free
7th June 2018, 03:09 PM |#4  
akhilkedia94's Avatar
OP Senior Member
Flag Seoul
Thanks Meter: 206
 
Donate to Me
More
Quote:
Originally Posted by weishu

Welcome to any questions, Although I may be hard to explain it clearly : )

Thank you so much for your response! This is truly a wonderful project!

At this point, is there any part of the source code of VirtualXposed (or any of its dependecies) that is proprietary/closed-source?

If you have some free time later, can you explain in some detail (such as with links to relevant folders/files in Github) how VirtualApp, Epic and VirtualXposed work?

If you are not comfortable with English, you can use https://translate.google.com/ or http://fanyi.baidu.com/ to translate Chinese to English. If you cannot access those websites, please feel free to post your response in Chinese and we will translate it for you.
7th June 2018, 05:33 PM |#5  
mirhl's Avatar
Senior Member
Flag Corte
Thanks Meter: 1,028
 
More
https://github.com/asLody/VirtualApp/issues/388
As linked in the original thread..

Besides here (before re-editing everything), the dude said something along the line of project's original author having quit from development and it originally not having had any retarded licensing condition.
Indeed, until this everything was totally just under GPL 3, so forking is an option too.

p.s: docs https://github.com/prife/VirtualAppDoc
The Following User Says Thank You to mirhl For This Useful Post: [ View ] Gift mirhl Ad-Free
7th June 2018, 08:11 PM |#6  
akhilkedia94's Avatar
OP Senior Member
Flag Seoul
Thanks Meter: 206
 
Donate to Me
More
The code for VirtualApp and Epic dependecy seems to have been folded into VirtualXposed.

Analysis of clean files
  1. I scanned VirtualXposed and all of its dependencies.
  2. A license scan reveals a mix gpl, lgpl, apache, bsd facebook and mit licenses. Nothing too bad, this project is definitely forkable.
  3. I scanned for URLs in the code, and everything is clean. (ofcourse it is possible that some URL may be encoded in hex or base64 or some other form)
  4. The only file which could not be accounted for is this file from VirtualApp, still present in VirtualXposed - https://github.com/asLody/VirtualApp...k/solidifyhook This file can be built by compiling the solidifyhook.cpp file.

This suggests the VirusTotal scan is almost surely a false positive.

Quote:
Originally Posted by mirhl

https://github.com/asLody/VirtualApp/issues/388
As linked in the original thread..

Besides here (before re-editing everything), the dude said something along the line of project's original author having quit from development and it originally not having had any retarded licensing condition.
Indeed, until this everything was totally just under GPL 3, so forking is an option too.

p.s: docs https://github.com/prife/VirtualAppDoc

The docs are interesting, thanks for that!
The Following 2 Users Say Thank You to akhilkedia94 For This Useful Post: [ View ] Gift akhilkedia94 Ad-Free
7th June 2018, 08:14 PM |#7  
Junior Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by mirhl

https://github.com/asLody/VirtualApp/issues/388
As linked in the original thread..

Besides here (before re-editing everything), the dude said something along the line of project's original author having quit from development and it originally not having had any retarded licensing condition.
Indeed, until this everything was totally just under GPL 3, so forking is an option too.

p.s: docs https://github.com/prife/VirtualAppDoc

There's still a branch from June 17th on the repo with the GPL v3 license. It's newer than the one you linked https://github.com/asLody/VirtualApp...ert-326-master
Edit: Here's one from October 30th, which is the last one with a GPL v3 license https://github.com/asLody/VirtualApp...b4238e69f9254f
Since it got remove here https://github.com/asLody/VirtualApp...2c5283f7eb95ab
7th June 2018, 09:08 PM |#8  
Junior Member
Thanks Meter: 7
 
More
I'm also not a lawyer but it's still under GPL v3 and as far as I understand, commercial use, among other things is allowed. https://tldrlegal.com/license/gnu-ge...nse-v3-(gpl-3)

Edit: Here's some discussion about the license. I'm not sure if he can just add that commercial line in there and it applies. They talk about dual-licensing and stuff but I don't know. I don't think that the usage and modification of this would count as commercial if it's released for free to a community.
8th June 2018, 12:07 AM |#9  
mirhl's Avatar
Senior Member
Flag Corte
Thanks Meter: 1,028
 
More
I'm saying that if they added the non-commercial clause (even if still retaining the GPL license text), I'm not sure what comes out.
One prevails the other? Dual licensing?

Besides, most of commits come from the same two guys, but there are thirty more that contributed to the repo. And I'm not sure how legit unilateral relicensing is then.
8th June 2018, 04:10 AM |#10  
weishu's Avatar
Junior Member
Flag Beijing
Thanks Meter: 357
 
More
Quote:
Originally Posted by mirhl

https://github.com/asLody/VirtualApp/issues/388
As linked in the original thread..

Besides here (before re-editing everything), the dude said something along the line of project's original author having quit from development and it originally not having had any retarded licensing condition.
Indeed, until this everything was totally just under GPL 3, so forking is an option too.

p.s: docs https://github.com/prife/VirtualAppDoc

You can refer https://github.com/android-hacker/Vi...sed/issues/138 for the License of VirtualXposed.

I am planning to make a fork of GPL-v3 branch of VirtualApp ( it was completed nearly), But i don't know is it permitted.
The Following 2 Users Say Thank You to weishu For This Useful Post: [ View ] Gift weishu Ad-Free
8th June 2018, 05:28 AM |#11  
weishu's Avatar
Junior Member
Flag Beijing
Thanks Meter: 357
 
More
akhilkedia , I have heard from you at github, Thank you ! !

I've put together some information, and I hope this will help.

Q: The app requests a ton of permissions
A: All thre permission are used for app inside VirtualXposed, i don't know what apps will be added to VirtualXposed, so i must request all the permission in advance. If VirtualXposed doesn't have a permission of one app, the app may can not work properly in VirtualXposed.
I am planning to upgrade the targetSdkVersion to 23, then there are little permission requests when install it (VirtualXposed will request permission dynamicly, but if you refuse some permission of one app in VirtualXposed, all the app in VirtualXposed won't grant that permission; this is truly frustrating, XPrivicyLua can not work properly in VirtualXposed: https://github.com/android-hacker/Vi...posed/issues/7, I am trying to add a built-in permission control in VirtualXposed: https://github.com/android-hacker/Vi...osed/issues/33, but there are lot of work to do...

Q: New modules are seemingly often not changed even after re-installing. Un-installed virtual apps are sometimes detected as still being present by the xposed module (?!)
A: This is a bug, the state of installation and launcher3 are not the same.

Q: Epic library's readme says not supported for arm32, x86_64 and mips device architectures for ART.
A: Yes, Epic doesn't support arm32, x86. you can install it on x86 device, but Xposed won't work.

Q: If you have enabled an Xposed Module outside of VirtualXposed, it will still affect apps inside it - So its recommended to turn the module off outside.
A: Yes, Xposed in system will take effect in VirtualXposed, and sometimes may cause conflicts if you enable the same module both in Xposed outside and VirtualXposed.

Q: The original developer seems to not speak perfect English, and the current users are mostly all Chinese.
A: Yes, my English speaking is poor, but my reading skills is good, there are no obstacles to understand what you say
The current users are mostly all Chinese, in fact, there are more than one million users in total If you think it is useful, please tell it to your friends, this is the best way to encourage me to make VirtualXposed better and better.

Q: is there any part of the source code of VirtualXposed (or any of its dependecies) that is proprietary/closed-source
A: No, VirtualXposed is fully open source, but the License is complex. I have no idea of it totally.

Q: If you have some free time later, can you explain in some detail (such as with links to relevant folders/files in Github) how VirtualApp, Epic and VirtualXposed work?
A: See below

Q: How VirtualApp works?

A:

First, you can read my blog and follow my tutorial:
My Blog: http://weishu.me/2016/01/28/understa...work-overview/
My Tutorial: https://github.com/tiann/understand-plugin-framework

These articles tell you how Android Framework works and how Plugin-Framework hooks into system to establish a virtual environment.

If you are familar with Android Framework, you can read the source code of demo.

But sorry, it is fully Chinese, lots of Chinese say it is the best way to understand DroidPlugin/VirtualApp

Then, you can read the VirtyalAppDoc: https://github.com/prife/VirtualAppDoc.

In VirtualXposed, source code of VirtualApp lies in https://github.com/android-hacker/Vi...VirtualApp/lib

The structure of VirtualApp:

JNI:

https://github.com/android-hacker/Vi...jni/Foundation and https://github.com/android-hacker/Vi...c/main/jni/Jni :mainly for IO redirect to make app inside VirtualApp access the corret file system, and also, it do some native hooks for special API(for example, Camera must be hook in native, disable JIT, etc..)
https://github.com/android-hacker/Vi...in/jni/HookZz: This is an inline hook library, it is fully open source, this is the project: https://github.com/jmpews/HookZz
https://github.com/android-hacker/Vi...jni/Substrate: Another inline hook library, it seems to be closed source, but i don't know how the author of VirtualApp get the source code...
https://github.com/android-hacker/Vi...c/main/jni/fb: the JNI framework of facebook.

Java:

https://github.com/android-hacker/Vi...n/java/mirror: the reflection framework of VirtualApp, it is used for use reflection conveniently, it is really elegant.
https://github.com/android-hacker/Vi.../java/android: some hidden API of Android Framework, copy it here for compile.
https://github.com/android-hacker/Vi...irtual/server: the server process of VirtualApp, for example, Android Framework has ActivityManagerService, PackageManagerService, in VirtualApp, there are VActivityManagerService, the procedure of a process to communicate with Android Framework is: Client process -> VitualApp's server process(Virtual System servier) -> Android Framework's system service.
https://github.com/android-hacker/Vi...irtual/client: mainly for hooks in client process(App run inside VirtualApp are all client process); There are four type of process in VirtualApp: 1. Virtual Server process(with hook of AMS & PMS) 2. Virtual client process(with hook of All Android System Service) 3. UI process(a normal process) 4. other process(such as native process)
https://github.com/android-hacker/Vi...dy/virtual/os: the multi-user system of VirtualApp and the some envionment variants, such as directory structure.
https://github.com/android-hacker/Vi...irtual/remote: Parcel data stucture for IPC between Virtual client process and virtual server process.

If you want to read source code of VirtualApp, this class is the best entry:

https://github.com/android-hacker/Vi...rtualCore.java.

Q: How Epic works?
A:

You can refer my design procedure of Epic: http://weishu.me/2017/11/23/dexposed-on-art/
The article introduces many way to hook and tells you how epic solve the problems in the past and why epic does it that way.

Sorry for it is Chinese again...

And then, yon can read the paper : https://publications.cispa.saarland/143/ It is strongly recommended to read that!

In fact, Epic was inspired by https://github.com/mar-v-in/ArtHook, you can also read the source code.

Q: How VirtualXposed work?

VirtualXposed loads Xposed Modules in the entry of VirtualApp's client process, and inject the Xposed ClassLoader to that process to make Xposed module can call Xposed API, and epic provides the abilities to hook, That's all.

All this work is done in https://github.com/android-hacker/exposed

If you have any doubt with VirtualApp/Epic/exposed, feel free to ask me

In addition, I made an origination named android-hacker when i create VirtualXposed, if you want to contribute to VirtualXposed, welcome to join it!(tell me to invite you)
The Following 10 Users Say Thank You to weishu For This Useful Post: [ View ] Gift weishu Ad-Free
Post Reply Subscribe to Thread

Tags
no-root, virtualxposed, xposed

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes