Windows User Space Emulator

A high-performance Windows process emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities. Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required. Built in C++ and powered by the [Unicorn Engine](https://github.com/unicorn-engine/unicorn) (or the [icicle-emu](https://github.com/icicle-emu/icicle-emu) ๐Ÿ†•). ## Key Features * ๐Ÿ”„ __Syscall-Level Emulation__ * Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs * ๐Ÿ“ __Advanced Memory Management__ * Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management * ๐Ÿ“ฆ __Complete PE Loading__ * Handles executable and DLL loading with proper memory mapping, relocations, and TLS * โšก __Exception Handling__ * Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support * ๐Ÿงต __Threading Support__ * Provides a scheduled (round-robin) threading model * ๐Ÿ’พ __State Management__ * Supports both full state serialization and ~~fast in-memory snapshots~~ (currently broken ๐Ÿ˜•) * ๐Ÿ’ป __Debugging Interface__ * Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...) ## > [!NOTE] > The project is still in a very early, prototypical state. The code still needs a lot of cleanup and many features and syscalls need to be implemented. However, constant progress is being made :) ## Preview ![Preview](./docs/images/preview.jpg) ## YouTube Overview [![YouTube video](./docs/images/yt.jpg)](https://www.youtube.com/watch?v=wY9Q0DhodOQ) Click here for the slides. ## Quick Start (Windows + Visual Studio) > [!TIP] > Checkout the [Wiki](https://github.com/momo5502/emulator/wiki) for more details on how to build & run the emulator on Windows, Linux, macOS, ... 1\. Checkout the code: ```bash git clone --recurse-submodules https://github.com/momo5502/emulator.git ``` 2\. Run the following command in an x64 Development Command Prompt in the cloned directory: ```bash cmake --preset=vs2022 ``` 3\. Build the solution that was generated at `build/vs2022/emulator.sln` 4\. Create a registry dump by running the [grab-registry.bat](https://github.com/momo5502/emulator/blob/main/src/tools/grab-registry.bat) as administrator and place it in the artifacts folder next to the `analyzer.exe` 5\. Run the program of your choice: ```bash analyzer.exe C:\example.exe ```