Kernel-Level ART Hooking Framework for Android
A next-generation Xposed-compatible framework that replaces traditional Zygisk injection with kernel-space code delivery via KernelPatch Module (KPM), achieving deep stealth and broad compatibility.
KernelVector is an experimental ART hooking framework that combines the power of kernel-level process injection with the mature LSPlant hooking engine. Unlike traditional frameworks that rely on Zygisk/Riru for code delivery, KernelVector leverages KernelPatch Module (KPM) infrastructure to inject the hook runtime into target processes — making the injection chain invisible to userspace detection.
| Traditional (Zygisk) | KernelVector (KPM) | |
|---|---|---|
| Injection | Zygote modification, dlopen via linker |
Kernel ghost pages + bootstrap trampoline |
| Visibility | Shows in /proc/maps, linker state |
Ghost pages invisible to userspace |
| Detection Surface | Zygisk traces, ClassLoader artifacts | No userspace injection artifacts |
| Hook Engine | LSPlant (ART method hooking) | LSPlant (identical — full compatibility) |
| Module API | Xposed / libxposed | Xposed / libxposed (identical) |
┌─────────────────────────────────────────────────────────────────┐
│ KERNEL SPACE │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ KernelPatch Module (ptehook) │ │
│ │ │ │
│ │ • Fork Handler — intercepts Zygote fork() │ │
│ │ • Ghost Page Allocator — invisible memory mapping │ │
│ │ • Bootstrap Writer — injects trampoline into child │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ │ fork detected │
│ ▼ │
├─────────────────────────────────────────────────────────────────┤
│ USER SPACE │
│ │
│ ┌─────────────┐ dlopen ┌────────────────────────────┐ │
│ │ Bootstrap │ ─────────────▶│ libkvector.so │ │
│ │ (4KB ghost │ │ │ │
│ │ page) │ │ • LSPlant Init (Dobby) │ │
│ └─────────────┘ │ • Self-Hide (maps/dl) │ │
│ │ • IPC Bridge → Daemon │ │
│ │ • DEX Loader │ │
│ │ • Framework Bootstrap │ │
│ └────────────┬───────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────┐ │
│ │ Xposed Framework (DEX) │ │
│ │ │ │
│ │ • Module Loading │ │
│ │ • Hook Registration │ │
│ │ • Legacy + Modern API │ │
│ └────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Daemon Process (root, app_process) │ │
│ │ │ │
│ │ • Module scope management │ │
│ │ • DEX serving via Binder IPC │ │
│ │ • Configuration & preferences │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
- Boot — KPM loads via APatch/KernelSU; daemon starts
- Zygote Fork — Kernel fork handler detects new child process
- Ghost Page — 4KB bootstrap shellcode mapped into child (invisible in maps)
- Trampoline — First
ioctlcall triggers bootstrap execution - dlopen — Bootstrap loads
libkvector.sofrom hidden path - Init — LSPlant initializes ART hooking; self-hiding activates
- IPC — Framework DEX fetched from daemon via Binder
- Modules — Xposed modules loaded; hooks become active
- Android: 8.1 — 17 (API 27–36)
- Root: APatch / KernelSU with KPM support
- Architecture:
arm64-v8a(primary),armeabi-v7a(planned) - Module API: Full Xposed + libxposed compatibility
KernelVector/
├── kpm-loader/ # Kernel injection layer (replaces Zygisk)
│ ├── src/main/cpp/ # libkvector.so: init, IPC, self-hide
│ ├── src/main/kotlin/ # Bridge, Main entry, parasitic manager
│ └── module/ # APatch/KPM module scripts
├── native/ # Core native framework (LSPlant, hook bridge, JNI)
├── external/ # Dependencies (LSPlant, Dobby, LSPlt, fmt, xz)
├── legacy/ # Xposed API compatibility layer
├── xposed/ # Modern Kotlin hook framework
├── daemon/ # Root daemon (module management, DEX serving)
├── services/ # AIDL interfaces (app ↔ daemon)
├── app/ # Manager UI
├── hiddenapi/ # Hidden API bypass (stubs + bridge)
└── dex2oat/ # AOT compilation support
- Android Studio Ladybug+ or Gradle 8.9+
- NDK r29+
- CMake 3.29+
- JDK 21
# Build the module package (APatch/KSU)
./gradlew :kpm-loader:zipRelease
# Install on device via KernelSU
./gradlew :kpm-loader:installKsuRelease
# Install on device via APatch
./gradlew :kpm-loader:installApatchReleaseWarning
This project is in early development. The kernel injection layer (kpm-loader) is under active construction.
- Project scaffolding — fork from Vector framework
- Module structure —
kpm-loaderreplaceszygisk -
libkvector.so— KPM entry point (kv_init) - Bootstrap shellcode — ARM64 ghost page trampoline
- Self-hiding — maps/dl_iterate_phdr concealment
- KPM fork handler integration
- Daemon adaptation for KPM boot
- End-to-end module loading test
- Multi-process scope management
Built on the shoulders of these open-source projects:
| Project | Role |
|---|---|
| LSPlant | ART method hooking engine |
| Vector / LSPosed | Upstream Xposed framework |
| Dobby | Inline hooking backend |
| KernelPatch | Kernel-level patching infrastructure |
| XposedBridge | Standard Xposed APIs |
| Magisk | Android root ecosystem |
KernelVector is licensed under the GNU General Public License v3.0.
Copyright (C) 2024-2026 KernelVector Contributors
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This project is intended for security research and educational purposes only. Users are responsible for ensuring compliance with applicable laws in their jurisdiction. The authors assume no liability for misuse.