JReFrameworker - Practical Managed Code Rootkits for Java

Monday, February 15, 2016

This project aims to extend the work done by Erez Metula in his book Managed Code Rootkits: Hooking into Runtime Environments. The work outlines a tool ReFrameworker that claims to be a framework modification tool capable of performing any modification task, however the tool falls short in usability. Developing new attack modules is difficult as most users are not familiar with working in the intermediate representations (IR) required by the tool. Worse yet, the "write once, run anywhere" motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform. The current version of ReFrameworker (version 1.1) does not have the ability to manipulate Java bytecode, although Erez Metula points out that the same techniques of using IRs such as Soot's Jimple or the Jasmin assembler can be used to create Java MCRs.


Since ReFrameworker is no longer maintained, this project aims to extend previous works by introducing JReFrameworker, a tool to produce MCR capabilities aimed at the Java Runtime Environment in a user-friendly way.

JReFrameworker is a tool that allows a user to write annotated Java source that is automatically merged or inserted into the runtime. The framework supports developing and debugging attack modules directly in the Eclipse IDE. Working at the intended abstraction level of source code allows the attacker to "write once, exploit anywhere".

Getting Started

Ready to get started?

  1. First install the JReFrameworker plugin.
  2. Then check out the provided tutorials to get started hacking your first attack module.



  • Improved payload dropper with new command line options for specifying non-standard runtime locations and for specifying output options


  • Support for exporting a basic based payload dropper


  • Improvements to preferences
  • Bug fixes for builder


  • Bug fix for missing annotations Jar in new projects


  • Initial Release

Subscribe via e-mail for updates!