Program

/

CODE BLUE 2025

Time Table

Bypassing Anti-Debugging: A Hybrid Real-Simulated Approach to Rootkit Analysis

DAY 2

09:00-09:40

Reverse engineering rootkits is increasingly challenged by advanced obfuscation and packing, hindering dynamic debugging of Windows drivers. While Unicorn-based frameworks like Speakeasy and Qiling exist, they are still insufficient in anti-simulation techniques.

This research proposes a Unicorn-based semi-simulation framework that executes drivers in a hybrid real-simulated environment via partial pass-through, extracting real environment components and supporting parallel execution and structure exception handling to bypass anti-simulation and anti-debugging protections. Running isolated in Ring 3, it can precisely monitor objects and registers, revealing rootkits’ logic and its self-protect mechanisms.

I will explore modern anti-debugging techniques, Unicorn applications, and a case study of a high-market-share anti-cheat engine’s kernel driver protections. After this session, attendees will gain a better understanding of internal driver protection and rootkit analysis.

  • Location :

    • Track 2(HALL A)

  • Category :

    • U25

  • Share :

Speakers

  • ヨンシュー・ヤン の写真

    Yong-Xu Yang

    ヨンシュー・ヤン

    I'm currently an intern at TeamT5, WorldSkills Cybersecurity competitor representing Chinese Taipei and a junior student in the Department of Computer Science and Engineering at National Sun Yat-sen University. My primary research focuses on Windows security topics, including game hacking, kernel rootkit detection, and related issues. Additionally, I am a CTF player working on reverse.

  • ヘンミン・ファン の写真

    Heng-Ming Fan

    ヘンミン・ファン

    Dig knowledges
    Work at National Institute of Cyber Security

  • ユーシュエン・ロウ の写真

    Yu Xuan Luo

    ユーシュエン・ロウ

    I am a senior student in the Department of Computer Science and Engineering at National Sun Yat-sen University.