Less complexity. More control.
Renef was built for researchers who need something minimal, stealthy, and fully controllable.
Challenge
Heavy frameworks are hard to extend
Our Approach
Minimal and focused — easy to understand and modify
Challenge
TCP communication is easily detected
Our Approach
Unix Domain Sockets — process-level isolation
Challenge
ptrace triggers security checks
Our Approach
memfd + shellcode injection avoids detection
Challenge
Limited control over internals
Our Approach
Full ownership — tweak anything you want
How Renef Works
A lightweight client-server architecture with memfd-based injection.
Client CLI
macOS / Linux
Server
Android ARM64
Target Process
libagent.so + Lua
Client connects via TCP port 1907 (ADB-forwarded) to the server running on Android
Server injects payload using memfd + shellcode — no ptrace required
libagent.so executes Lua scripts inside the target process context
Everything you need for ARM64 analysis
A focused toolkit with the capabilities that matter most.
PLT/GOT and inline trampoline hooks for ARM64. Intercept any native function with Capstone-based disassembly.
Scan, read, write, and patch memory at runtime. Search for patterns and modify values on the fly.
Embedded Lua 5.4 engine with intuitive API. Write powerful instrumentation scripts with minimal boilerplate.
JNI-based Java method interception. Hook Java methods without touching the native layer.
memfd + shellcode injection avoids ptrace. Unix Domain Sockets instead of TCP for on-device communication.
Text-based UI for memory scanning operations. Real-time feedback and interactive exploration.
Real-world applications
Battle-tested techniques for security research and reverse engineering.
Intercept and modify certificate validation to analyze encrypted traffic.
hook("SSL_CTX_set_verify", {
onEnter: (args) => {
args[1] = SSL_VERIFY_NONE
}
})Hook detection methods to return false and run on rooted devices.
hook("isRooted", {
onLeave: (retval) => {
retval.replace(0)
}
})Capture encryption keys at runtime before they're used.
hook("AES_set_encrypt_key", {
onEnter: (args) => {
console.log(Memory.read(args[0], 32))
}
})Log all calls to specific functions with arguments and return values.
hook("open", {
onEnter: (args) => {
console.log("open:", Memory.readCString(args[0]))
}
})Find and modify values in memory with pattern matching.
Memory.scan(base, size, "48 65 6c 6c 6f", {
onMatch: (addr) => {
console.log("Found at:", addr)
}
})Up and running in minutes
Clone, build, and start instrumenting Android apps.
# Clone and buildgit clone https://github.com/Ahmeth4n/renefcd renef && make# Push server to deviceadb push server /data/local/tmp/adb shell chmod +x /data/local/tmp/server# Start server on deviceadb shell /data/local/tmp/server &# Forward portadb forward tcp:1907 localabstract:renef# Connect and start instrumenting./renef -s com.byteria.keepsafeRequires: macOS or Linux, ADB, Android device with ARM64 architecture