zygisk/README.md
This sub-project constitutes the injection engine of the Vector framework. It acts as the bridge between the Android Zygote process and the high-level Xposed API.
The project is a hybrid system consisting of two distinct layers:
Its primary responsibility is to inject the Vector framework into the target process's memory at the earliest possible stage of its lifecycle, ensuring a robust and stealthy environment.
The native layer (libzygisk.so) is the entry point. It hooks into the Zygote process creation lifecycle via the Zygisk API (e.g., preAppSpecialize, postAppSpecialize). It is architected to have minimal internal logic, delegating heavy lifting (like ART hooking and ELF parsing) to the core native library.
InMemoryDexClassLoader to load the framework's bytecode directly from memory, avoiding disk I/O signatures.CallBooleanMethodV. This intercepts Binder.execTransact calls, allowing the framework to patch into the system's IPC flow without registering standard Android Services.VectorModule (module.cpp): The central orchestrator implementing zygisk::ModuleBase. It manages the injection state machine and inherits from vector::native::Context to gain core injection capabilities.IPCBridge (ipc_bridge.cpp): A singleton handling raw Binder transactions. It manages the two-step connection protocol (Rendezvous -> Dedicated Binder) and contains the JNI table override logic.Once the native layer successfully loads the DEX, control is handed off to the Kotlin layer via JNI. This layer handles high-level Android framework manipulation, Xposed initialization, and identity spoofing.
Main.forkCommon acts as the Java entry point. It differentiates between the system_server and standard applications.com.android.shell). This allows the Manager to run with elevated privileges without being installed as a system app.Main: The singleton entry point. It initializes the Xposed bridge (Startup) and decides whether to load the standard Xposed environment or the Parasitic Manager.BridgeService: The peer to the C++ IPCBridge. It decodes custom _LSP transactions, manages the distribution of the system service binder, and handles communication between the injected framework and the root daemon.ParasiticManagerHooker: The complex logic for identity transplantation.
ApplicationInfo with the Manager's info during handleBindApplication.Bundle states to prevent data loss during lifecycle events.WebView and ContentProvider installation to satisfy package name validations.The full lifecycle of a Vector-instrumented process follows this sequence:
preAppSpecialize callback in C++.VectorModule checks the UID/Process Name. If valid, it initializes the IPCBridge.postAppSpecialize triggers the creation of an InMemoryDexClassLoader.org.lsposed.lspd.core.Main.forkCommon.ParasiticManagerHooker.start() is called. The process is "hijacked" to run the Manager UI.Startup.bootstrapXposed() is called. Third-party modules are loaded.Binder.execTransact calls to BridgeService.execTransact in Kotlin.The communication between the native loader and the Kotlin framework relies on specific conventions:
_VEC (bitwise constructed) must remain synchronized between ipc_bridge.cpp (Native) and BridgeService.kt (Kotlin).ParasiticManagerHooker.start(), you will see an empty list mutableListOf<IBinder>().
It is used as an "out-parameter" for the Binder call, allowing the root daemon to push the Manager Service Binder back to the loader.The ParasiticManagerSystemHooker runs only in the system_server. It uses XposedHooker to intercept ActivityTaskSupervisor.resolveActivity. It detects Intents tagged with LAUNCH_MANAGER and forcefully redirects them to the parasitic process (e.g., Shell), modifying the ActivityInfo on the fly to ensure the Manager launches correctly.