A hybrid semi-emulated, semi-native Windows kernel driver emulator designed for advanced rootkit and anti-cheat analysis, addressing the limitations of existing emulation solutions.
This project have been accept by CODEBLUE 2025
Bypassing Anti-Debugging: A Hybrid Real-Simulated Approach to Rootkit Analysis
KDemu's hybrid architecture consists of:
- Emulation Engine (
Emulate.cpp/hpp): kernel API implementations with intelligent hook management - PE Loader (
LoadPE.cpp/hpp): Advanced PE parsing with kernel dump integration and driver overwriting - Kernel Dump Manager: Real-time kernel memory dump analysis and parameter extraction
- SEH Handler: Native Windows exception handling using InvertedFunctionTableList
- Multithreading Engine: Parallel execution with memory locking and context management
- Anti-Detection Layer: MSR handling, hypervisor evasion, and detection countermeasures
- Monitoring System: Object access tracking and register operation logging
-
Clone the repository:
git clone <repository-url> cd KDemu
-
Install dependencies via vcpkg:
vcpkg install unicorn capstone
-
Build the project:
- Open
KDemu.slnin Visual Studio - Select Release configuration (x64)
- Build the solution
- Open
-
Download Memory Dump: https://drive.google.com/file/d/1MDZ2s7RLGvypC0FDS6MOYgMglTyU6O9n/view?usp=sharing
Put it into the KDemu folder
- Kernel Memory Dump: Obtain a Windows kernel memory dump (
mem.dmp) captured at a driver entry breakpoint
if you use another kernel dump, you have to change some of the parmenter like some of base addr..register..etc
- Target Driver: Place the driver you want to analyze in the project directory
Enable GDB server support by uncommenting the gdbServer() call in mainThread().
KDemu/
├── KDemu/
│ ├── KDemu.cpp # Main entry point
│ ├── Emulate.cpp/hpp # API emulation engine
│ ├── LoadPE.cpp/hpp # PE loader and memory management
│ ├── UnicornEmu.hpp # Unicorn engine wrapper
│ ├── Global.h # Common definitions
│ ├── NtType.hpp # Windows type definitions
│ ├── include/ # Third-party headers
│ └── lib/ # Static libraries
├── vcpkg.json # Package dependencies
└── KDemu.sln # Visual Studio solution
For someone who want to analyze EAC, it will exit by triple fault because of unicorn can't handle divide-by-zero exception unicorn-engine/unicorn#1883
So when cause error you should clone the unicorn object and restart to reset the fault value.
For Nexon Driver it will scan bootloader but our dump lack of bootloader's memory :(
ShallowFeather & HeroBurger
- Unicorn Engine - CPU emulation framework
- Capstone - Disassembly engine
- LIEF - Binary analysis library (contributed bug fix)
- kdmp-parser - Kernel dump parsing
- KACE (Kernel AntiCheat Emulator) - Inspiration for user-mode to kernel-mode mapping
- What The Fuzz - Kernel dump utilization concepts
- Speakeasy & Qiling - Object monitoring and API emulation approaches