Skip to content

xintiaoobao/KernelVector

Repository files navigation

KernelVector

Kernel-Level ART Hooking Framework for Android

A next-generation Xposed-compatible framework that replaces traditional Zygisk injection with kernel-space code delivery via KernelPatch Module (KPM), achieving deep stealth and broad compatibility.

Android License Architecture


Overview

KernelVector is an experimental ART hooking framework that combines the power of kernel-level process injection with the mature LSPlant hooking engine. Unlike traditional frameworks that rely on Zygisk/Riru for code delivery, KernelVector leverages KernelPatch Module (KPM) infrastructure to inject the hook runtime into target processes — making the injection chain invisible to userspace detection.

Key Differentiators

Traditional (Zygisk) KernelVector (KPM)
Injection Zygote modification, dlopen via linker Kernel ghost pages + bootstrap trampoline
Visibility Shows in /proc/maps, linker state Ghost pages invisible to userspace
Detection Surface Zygisk traces, ClassLoader artifacts No userspace injection artifacts
Hook Engine LSPlant (ART method hooking) LSPlant (identical — full compatibility)
Module API Xposed / libxposed Xposed / libxposed (identical)

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                        KERNEL SPACE                              │
│                                                                  │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  KernelPatch Module (ptehook)                            │   │
│  │                                                          │   │
│  │  • Fork Handler — intercepts Zygote fork()               │   │
│  │  • Ghost Page Allocator — invisible memory mapping       │   │
│  │  • Bootstrap Writer — injects trampoline into child      │   │
│  └──────────────────────────────────────────────────────────┘   │
│                              │                                   │
│                              │ fork detected                     │
│                              ▼                                   │
├─────────────────────────────────────────────────────────────────┤
│                        USER SPACE                                │
│                                                                  │
│  ┌─────────────┐    dlopen     ┌────────────────────────────┐   │
│  │  Bootstrap  │ ─────────────▶│  libkvector.so             │   │
│  │  (4KB ghost │               │                            │   │
│  │   page)     │               │  • LSPlant Init (Dobby)    │   │
│  └─────────────┘               │  • Self-Hide (maps/dl)     │   │
│                                │  • IPC Bridge → Daemon     │   │
│                                │  • DEX Loader              │   │
│                                │  • Framework Bootstrap     │   │
│                                └────────────┬───────────────┘   │
│                                             │                    │
│                                             ▼                    │
│                                ┌────────────────────────────┐   │
│                                │  Xposed Framework (DEX)    │   │
│                                │                            │   │
│                                │  • Module Loading          │   │
│                                │  • Hook Registration       │   │
│                                │  • Legacy + Modern API     │   │
│                                └────────────────────────────┘   │
│                                                                  │
│  ┌──────────────────────────────────────────────────────────┐   │
│  │  Daemon Process (root, app_process)                      │   │
│  │                                                          │   │
│  │  • Module scope management                               │   │
│  │  • DEX serving via Binder IPC                            │   │
│  │  • Configuration & preferences                           │   │
│  └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘

Injection Flow

  1. Boot — KPM loads via APatch/KernelSU; daemon starts
  2. Zygote Fork — Kernel fork handler detects new child process
  3. Ghost Page — 4KB bootstrap shellcode mapped into child (invisible in maps)
  4. Trampoline — First ioctl call triggers bootstrap execution
  5. dlopen — Bootstrap loads libkvector.so from hidden path
  6. Init — LSPlant initializes ART hooking; self-hiding activates
  7. IPC — Framework DEX fetched from daemon via Binder
  8. Modules — Xposed modules loaded; hooks become active

Compatibility

  • Android: 8.1 — 17 (API 27–36)
  • Root: APatch / KernelSU with KPM support
  • Architecture: arm64-v8a (primary), armeabi-v7a (planned)
  • Module API: Full Xposed + libxposed compatibility

Project Structure

KernelVector/
├── kpm-loader/          # Kernel injection layer (replaces Zygisk)
│   ├── src/main/cpp/    # libkvector.so: init, IPC, self-hide
│   ├── src/main/kotlin/ # Bridge, Main entry, parasitic manager
│   └── module/          # APatch/KPM module scripts
├── native/              # Core native framework (LSPlant, hook bridge, JNI)
├── external/            # Dependencies (LSPlant, Dobby, LSPlt, fmt, xz)
├── legacy/              # Xposed API compatibility layer
├── xposed/              # Modern Kotlin hook framework
├── daemon/              # Root daemon (module management, DEX serving)
├── services/            # AIDL interfaces (app ↔ daemon)
├── app/                 # Manager UI
├── hiddenapi/           # Hidden API bypass (stubs + bridge)
└── dex2oat/             # AOT compilation support

Building

Prerequisites

  • Android Studio Ladybug+ or Gradle 8.9+
  • NDK r29+
  • CMake 3.29+
  • JDK 21

Build Commands

# Build the module package (APatch/KSU)
./gradlew :kpm-loader:zipRelease

# Install on device via KernelSU
./gradlew :kpm-loader:installKsuRelease

# Install on device via APatch
./gradlew :kpm-loader:installApatchRelease

Development Status

Warning

This project is in early development. The kernel injection layer (kpm-loader) is under active construction.

Roadmap

  • Project scaffolding — fork from Vector framework
  • Module structure — kpm-loader replaces zygisk
  • libkvector.so — KPM entry point (kv_init)
  • Bootstrap shellcode — ARM64 ghost page trampoline
  • Self-hiding — maps/dl_iterate_phdr concealment
  • KPM fork handler integration
  • Daemon adaptation for KPM boot
  • End-to-end module loading test
  • Multi-process scope management

Credits

Built on the shoulders of these open-source projects:

Project Role
LSPlant ART method hooking engine
Vector / LSPosed Upstream Xposed framework
Dobby Inline hooking backend
KernelPatch Kernel-level patching infrastructure
XposedBridge Standard Xposed APIs
Magisk Android root ecosystem

License

KernelVector is licensed under the GNU General Public License v3.0.

Copyright (C) 2024-2026 KernelVector Contributors

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

Disclaimer

This project is intended for security research and educational purposes only. Users are responsible for ensuring compliance with applicable laws in their jurisdiction. The authors assume no liability for misuse.

About

Kernel-Level ART Hooking Framework for Android — KPM-based injection replacing Zygisk

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors