Bypassing Anti-Debugging: A Hybrid Real-Simulated Approach to Rootkit Analysis
DAY 2
09:00-
09:40
Reverse engineering rootkits is increasingly challenged by advanced obfuscation and packing, hindering dynamic debugging of Windows drivers. While Unicorn-based frameworks like Speakeasy and Qiling exist, they are still insufficient in anti-simulation techniques.
This research proposes a Unicorn-based semi-simulation framework that executes drivers in a hybrid real-simulated environment via partial pass-through, extracting real environment components and supporting parallel execution and structure exception handling to bypass anti-simulation and anti-debugging protections. Running isolated in Ring 3, it can precisely monitor objects and registers, revealing rootkits’ logic and its self-protect mechanisms.
I will explore modern anti-debugging techniques, Unicorn applications, and a case study of a high-market-share anti-cheat engine’s kernel driver protections. After this session, attendees will gain a better understanding of internal driver protection and rootkit analysis.
-
Location :
-
Track 2(HALL A)
-
-
Category :
-
U25
-
-
Share :
Speakers
-
Yong-Xu Yang
ヨンシュー・ヤン
I'm currently an intern at TeamT5, WorldSkills Cybersecurity competitor representing Chinese Taipei and a junior student in the Department of Computer Science and Engineering at National Sun Yat-sen University. My primary research focuses on Windows security topics, including game hacking, kernel rootkit detection, and related issues. Additionally, I am a CTF player working on reverse.
-
Heng-Ming Fan
ヘンミン・ファン
Dig knowledges
Work at National Institute of Cyber Security -
Yu Xuan Luo
ユーシュエン・ロウ
I am a senior student in the Department of Computer Science and Engineering at National Sun Yat-sen University.