JReFrameworker is a Java bytecode manipulation tool released at DEFCON 24 that lowers the barrier to entry for developing Managed Code Rootkits in the Java Virtual Machine. Bytecode manipulations are written entirely in source code, removing the need for any pre-requisite knowledge of bytecode internals and allowing anyone with a basic working knowledge of Java to develop a sophisticated rootkit. Following the tool’s original release last year, development has continued while incorporating community feedback. Along with the improved documentation, bug fixes, and rigorous unit testing comes the ability to create multiphase manipulations, incremental compilation, an improved Metasploit post module, and integrations into the Atlas program analysis framework. By including interactive visual program analysis capabilities, JReFrameworker can automatically generate payloads for arbitrary programs at the click of a mouse (think Minority Report meets rootkit development). Finally, we explore alternate applications of the framework for reverse engineering and hardening third party applications. At the end, a special Derbycon release of the tool, which includes a little something extra, will be revealed.
Venue: Derbycon 7.0, Louisville Kentucky, September, 2017.
Author: Benjamin Holland