1708212af9
Emulated applications are currently able to access files from the host system, rather than being restricted to the virtualized file system, by using `Section` related Syscalls. This behavior appears to have been introduced in: - 2024-12-13: [Prepare better section support (syscalls.cpp:582)](719a50444e (diff-96c7de348bdc06e650bdc371a600a91f80594d4201afd7a28ffa160fa755be9dR582)) - 2025-10-13: [Comprehensive WOW64 subsystem implementation (section.cpp:141)](65eecf1cfd (diff-415eed3b4b314dc10cc9f7926687770be53799766bc9a4edca2a7f4a45477169R141))) Because the emulator is [advertised for malware analysis](https://github.com/momo5502/sogen/blob/main/README.md), this unintended access path could be considered a security concern. This PR only fixes two current misuses of an API that interacts with the host system. As a long term solution, APIs that interact with host resources should consistently use C++ types that enforce translation of resource identifiers (e.g., file and registry paths) into their emulated equivalents. This would help prevent future misuse and ensure that emulated applications remain isolated from the host environment.
Sogen is a high-performance Windows user space emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities.
Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required.
Built in C++ and powered by the Unicorn Engine or the icicle-emu.
Try it out: sogen.dev
Key Features
- 🔄 Syscall-Level Emulation
- Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs
- 📝 Advanced Memory Management
- Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management
- 📦 Complete PE Loading
- Handles executable and DLL loading with proper memory mapping, relocations, and TLS
- ⚡ Exception Handling
- Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support
- 🧵 Threading Support
- Provides a scheduled (round-robin) threading model
- 💾 State Management
- Supports both full state serialization and
fast in-memory snapshots(currently broken 😕)
- Supports both full state serialization and
- 💻 Debugging Interface
- Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...)
Preview
YouTube Overview
Click here for the slides.
Quick Start (Windows + Visual Studio)
Tip
Checkout the Wiki for more details on how to build & run the emulator on Windows, Linux, macOS, ...
1. Checkout the code:
git clone --recurse-submodules https://github.com/momo5502/sogen.git
2. Run the following command in an x64 Development Command Prompt in the cloned directory:
cmake --preset=vs2022
3. Build the solution that was generated at build/vs2022/emulator.sln
4. Create a registry dump by running the grab-registry.bat as administrator and place it in the artifacts folder next to the analyzer.exe
5. Run the program of your choice:
analyzer.exe C:\example.exe