Lightemerald/windows-user-space-emulator
2
0
Fork 0
mirror of https://github.com/momo5502/emulator.git synced 2026-01-18 11:13:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,472 Commits 2 Branches 0 Tags
1f936c024d4f32aed5b72baddb30dd05767f5057
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Maurice Heumann 1f936c024d Fix thread support (#640) 
This PR fixes several things related to threads emulation:

1. Support `SameTebFlags.InitialThread`
This flag is needed to support emulation of .net executables (not yet
fully supported) that don't have an entry point set in `PE` header. This
applies to both `PE32` and `PE64` executables. If `InitialThread` is set
the loader substitutes an entry point of the .net executable with
`mscoree.dll!_CorExeMain`.

2. Fix static thread local storage for `WOW64`
This fix resolves `shell32.dll` initialization on `WOW64`. This fix also
uses correct structure and field names that are obtained from the
corresponding `.pdb` files.

3. Fix dynamic thread local storage for `WOW64`

4. Fix setting argument of a `WOW64` thread start proc

5. Fix creating suspended thread and parse create_flags
Currently creating suspended thread doesn't work because
`NtCreateThreadEx` handler uses invalid flag `CREATE_SUSPENDED`. This PR
fixes that, and moreover it carefully parses create_flags of the
`NtCreateThreadEx` call.

6. Fix `FS` and `GS` handling
This PR fixes several problems with `GS` and `FS` segments:

    * Wrong GDT descriptor for selector 0x53
* Update GDT descriptor for selector 0x53 for a `WOW64` process every
context switch like Windows does
* Set `GS` base when `GS` segment register is updated in 64-bit code
(code selector is `0x33`). When `GS` segment register is loaded with
correct selector (`0x2b`) `GS` base is set to 0. So, when the code
accesses something like `gs:[0]`, a page fault occurs. `KiPageFault`
handles this situation and sets correct `GS` base.

Also, take into account that `teb64.ExceptionList` initially contains
`teb32` address for `WOW64` process. This is used to setup `FS` base
when `wrfsbase` instruction is available. We can enable this instruction
using `kusd.ProcessorFeatures.arr[PF_RDWRFSGSBASE_AVAILABLE] = 1;` and
this work perfectly with `unicorn` backend. Unfortunately `icicle`
backend does not support `wrfsbase`, so I don't enable this instruction
by default.
2025-12-30 17:56:30 +01:00
.github
Build(deps): Bump actions/checkout from 5 to 6
2025-12-03 09:13:31 +00:00
cmake
cmake: rename MOMO_BUILD_AS_LIBRARY to SOGEN_BUILD_STATIC
2025-12-02 16:24:27 -08:00
deps
Build(deps): Bump deps/capstone from c059126 to ca42e80 (#627)
2025-12-03 10:09:08 +01:00
docs/images
Add cover image
2025-01-10 21:13:15 +01:00
page
Update YouTube embed link to include language parameter
2025-12-24 15:14:04 +01:00
src
Fix thread support (#640)
2025-12-30 17:56:30 +01:00
.clang-format
Force new line at EOF
2025-10-12 17:21:51 +02:00
.clang-format-ignore
Move clang format to root
2025-06-18 18:23:31 +02:00
.clang-tidy
Fix more warnings
2025-03-18 20:58:26 +01:00
.gitignore
Display emulation status
2025-07-11 13:43:21 +02:00
.gitmodules
Merge remote-tracking branch 'origin/main' into unicorn-upgrade-2
2025-08-23 10:40:48 +02:00
CMakeLists.txt
cmake: rename MOMO_BUILD_AS_LIBRARY to SOGEN_BUILD_STATIC
2025-12-02 16:24:27 -08:00
CMakePresets.json
Use RelWithDebInfo
2025-05-29 10:13:17 +02:00
LICENSE
Switch to GPL as unicorn requires it
2024-10-23 19:10:13 +02:00
README.md
Revise warning on malware analysis and isolation
2025-12-22 08:03:09 +01:00

README.md


Sogen is a high-performance Windows user space emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities.

Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required.

Built in C++ and powered by the Unicorn Engine or the icicle-emu.

Try it out: sogen.dev

Warning

Caution is advised when analyzing malware in Sogen, as host isolation might not be perfect.
To mitigate potential risk, use the web version to benefit from the additional safety provided by your browser's sandbox.

Key Features

  • 🔄 Syscall-Level Emulation
    • Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs
  • 📝 Advanced Memory Management
    • Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management
  • 📦 Complete PE Loading
    • Handles executable and DLL loading with proper memory mapping, relocations, and TLS
  • Exception Handling
    • Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support
  • 🧵 Threading Support
    • Provides a scheduled (round-robin) threading model
  • 💾 State Management
    • Supports both full state serialization and fast in-memory snapshots (currently broken 😕)
  • 💻 Debugging Interface
    • Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...)

Preview

Preview

YouTube Overview

YouTube video

Click here for the slides.

Quick Start (Windows + Visual Studio)

Tip

Checkout the Wiki for more details on how to build & run the emulator on Windows, Linux, macOS, ...

1. Checkout the code:

git clone --recurse-submodules https://github.com/momo5502/sogen.git

2. Run the following command in an x64 Development Command Prompt in the cloned directory:

cmake --preset=vs2022

3. Build the solution that was generated at build/vs2022/emulator.sln

4. Create a registry dump by running the grab-registry.bat as administrator and place it in the artifacts folder next to the analyzer.exe

5. Run the program of your choice:

analyzer.exe C:\example.exe
Description
🪅 Windows User Space Emulator
emulatorhacktoberfestreverse-engineeringwindows
Readme GPL-2.0 16 MiB
Languages
C++ 85.1%
TypeScript 9.9%
Rust 2.6%
CMake 1.5%
CSS 0.3%
Other 0.5%