767c828110
This is my attempt at solving #383 - For KnownDLLs I create the section objects at process setup, later in NtOpenSection, I check if the root directory is KnownDLL or if it the path starts with "\\KnownDll", and create a handle to the section object. - For handling STATUS_IMAGE_NOT_AT_BASE, I maintain a map of module filepath -> module load count, at first load the module will get either the preferred image or the whatever the memory manager gives, and if load count is greater than 1, I return STATUS_IMAGE_NOT_AT_BASE, and for that I had to allow loading multiple copies of the same DLL. - Refactored some stuff, some functions that were used for pe file parsing are now under winpe namespace. - Added Dummy handler for NtFlushInstructionCache, WOW64 seems to need it while loading. - Remapping of win32u.dll and returning STATUS_IMAGE_NOT_AT_BASE is problematic because ntdll.dll checks for that, and eventually crashes, so as a workaround I don't allow remapping of it.
Sogen is a high-performance Windows user space emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities.
Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required.
Built in C++ and powered by the Unicorn Engine or the icicle-emu.
Try it out: sogen.dev
Warning
Caution is advised when analyzing malware in Sogen, as host isolation might not be perfect.
To mitigate potential risk, use the web version to benefit from the additional safety provided by your browser's sandbox.
Key Features
- 🔄 Syscall-Level Emulation
- Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs
- 📝 Advanced Memory Management
- Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management
- 📦 Complete PE Loading
- Handles executable and DLL loading with proper memory mapping, relocations, and TLS
- ⚡ Exception Handling
- Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support
- 🧵 Threading Support
- Provides a scheduled (round-robin) threading model
- 💾 State Management
- Supports both full state serialization and
fast in-memory snapshots(currently broken 😕)
- Supports both full state serialization and
- 💻 Debugging Interface
- Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...)
Preview
YouTube Overview
Click here for the slides.
Quick Start (Windows + Visual Studio)
Tip
Checkout the Wiki for more details on how to build & run the emulator on Windows, Linux, macOS, ...
1. Checkout the code:
git clone --recurse-submodules https://github.com/momo5502/sogen.git
2. Run the following command in an x64 Development Command Prompt in the cloned directory:
cmake --preset=vs2022
3. Build the solution that was generated at build/vs2022/emulator.sln
4. Create a registry dump by running the grab-registry.bat as administrator and place it in the artifacts folder next to the analyzer.exe
5. Run the program of your choice:
analyzer.exe C:\example.exe