&*&*&* hook your android*&*&*&

WHAT IS XPOSED ?

Recently when i try to search material to be used for me to learn pentesting mobile i stumble with this superb tool XPOSED framework. Well to all of you who are already been inside mobile pentesting might familiar with this tool.

OK !

so i try to do just a little bit research about what XPOSED can do ?

strangely i don't see any new post around 2017-2018 who are talking about XPOSED, the last entry that i could found was in 2016.  hmmm weird

in the following post i will show how to set up XPOSED in latest version of android studio and a few of capability that XPOSED framework could do to help you do a pentesting mobile.

from the original github repository:

(https://github.com/rovo89/XposedBridge/wiki/Development-tutorial#definingmodules)

i could summarize that XPOSED is a tool for hooking mobile application that let you have a power to inject a code in runtime. OK kewl!

XPOSED work in the following way. All of the Android mobile application developer or pentester know "zygote". Zygote is the heart of android runtime every application that runs in your Android mobile device is a fork of it.

/init.rc is the script responsible for starting booted sequence and the result of this process will be /system/bin/app_process.

Now this is where the fun part come, when you install XPOSED in your rooted android application it will copied itself to /sytem/bin/ and become the part of zygote. With this mechanism XPOSED could hook a method to the application and have fun playing with it.

 OK KEWL SO LETS PREPARE OUR ENVIRONMENT FIRST:

in the following set up i use:

1. android studio version 3
2. i use virtualbox that already installed android OS inside it, along with XPOSED app (Note: you can use real device but make sure it is rooted, XPOSED could only run inside rooted android device)
3. I used ubuntu 18.04 as my Operating System

 so lets prepare our android studio first:

create one new project in android studio and choose no activity. I know it is odd to not choose empty activity but right now just shut up and follow along.

Great now create one new folder inside your application project folder and name it "provider". so it will going to be like this:

$~ cd $_your_directory_project
$~ mkdir app/provider

download xposedbridgeapi54.jar and save it to folder, so it will going to be like this:

$~ cd app/provider
$~ wget -O XposedBridgeApi-54.jar http://forum.xda-developers.com/attachment.php\?attachmentid\=2748878\&d\=1400342298

P.S : you can use any version of xposed

after that go to the androidmanifest.xml file and paste the following code inside the file(NOTE: put it inside application tag):

/* This lets the module appear in the module selection portion of the Xposed app */
<meta-data 
    android:name="xposedmodule"
    android:value="true" />

/* This description will appear in the Xposed Application when enabling/disabling modules */
<meta-data
    android:name="xposeddescription"
    android:value="Easy example which makes the status bar clock red and adds a smiley" />

/* If you downloaded a different version of XposedBridgeApi-$VERSION, change the 54 to $VERSION */
<meta-data
    android:name="xposedminversion"
    android:value="54" />

The following code help XPOSED to search and define the application that you are created.

Now go to your rooted android device and install XPOSED framework.(i'm not going to explain how to install it because it is very simple you just have to download the APK file and install it using ADB tool). After you successfully install it go to: framework >> choose "install and update" >> Reboot

Go back to the android studio and create just one java file, i named my java file xposed:

straight from the XPOSED developer just copy and paste the following code to the new created java class:

package com.example; // CHANGE THIS TO MATCH YOUR PROJECT

import android.graphics.Color;
import android.widget.TextView;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;

import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;

public class Tutorial implements IXposedHookLoadPackage {

    public void handleLoadPackage(final LoadPackageParam lpparm) throws Throwable {

        String packageName = "com.android.systemui";
        String classToHook = "com.android.systemui.statusbar.policy.Clock";
        String functionToHook = "updateClock";

        if (!lpparm.packageName.equals(packageName))
            return;

        XposedBridge.log("we are in SystemUI!");

        findAndHookMethod(classToHook, lpparm.classLoader, functionToHook, new XC_MethodHook() {
            @Override
            protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                TextView tv = (TextView) param.thisObject;
                String text = tv.getText().toString();
                tv.setText(text + " :)");
                tv.setTextColor(Color.RED);
            }
        });
    }
}

dont forget to change the package name and the function name of the code. At this point you may get a tons of error stating that the most of the function is not found inside the android studio that's because we still not compile the xposedabridged54.jar file inside the android studio.

Go to the build.gradle(module:app) and add the following code:

compileOnly files('provided/XposedBridgeApi-54.jar')

most of you that already see other previous tutorial use "Implement file('provided/XposedBridgeApi-54.jar')" command but unfortunately the command is now deprecated and change to compileOnly.

DONT FORGET TO SYNC THE GRADLE!

ok now just one last thing to do before launching the application. create one new file in directory: app/src/main/assets/xposed_init.

$~ mkdir app/src/main/assets/
$~ echo "com.example.root.log_xposed.xposed" > xposed_init

and put your package name with the class to the file. This is how xposed load the application in runtime.

NOW THE LAST PART IS VERY IMPORTANT:

first, turn off your instant run in the android studio by go to the settings >> Build,execution,deployment >> instant run. Unable the instant run

second, go to the debug configuration and change the launch options to nothing in order to upload the code to the android device.

OK SO EVERYTHING IS DONE LETS PLAY WITH IT.

Install the application and go to XPOSED framework notice that our application is successfully upload. Check the your application and go to "framework" and choose reboot the device in order to take change. Use soft reboot to shorten time.

If you succeed now the device clock is turning red. Pretty awesome right ?! and if you go to the log section of the XPOSED framework you will see the log file of that the code is listed.

Thank you have a good day :)

resources, credit to the owner:

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/september/code-injection-on-android/?utm_medium=referral&utm_campaign=ZEEF&utm_source=https%3A%2F%2Fmobile-security.zeef.com%2Foguzhan.topgul

https://github.com/rovo89/XposedBridge/wiki/Development-tutorial#definingmodules

Next post i will try to show how to implement these badboys to the real application.