a33d2d0c2f
This PR aims to: - [Improve NtQueryInformationToken](d7b8b78cef), by handling more token types and also fixing TokenIntegrityLevel to return a proper integrity SID. - [Add new pseudo-handles](ac804939d9). - [Add the KsecDD device and support for devices in NtQueryObject](ca61a7cd3b). - [Add new syscalls](4b6e0f088d), to be more specific, the syscalls added were the following ones: `NtRemoveIoCompletion`, `NtSetInformationWorkerFactory`, `NtShutdownWorkerFactory`, `NtGetCurrentProcessorNumber`, `NtCreateTimer`, `NtSetTimer`, `NtSetTimer2`, `NtCancelTimer`, `NtAssociateWaitCompletionPacket`, `NtCancelWaitCompletionPacket`, `NtSetWnfProcessNotificationEvent`, `NtQuerySecurityObject`. Most of the changes in this PR were made to get BCryptGenRandom working in the emulator. Even with the KsecDD device implemented, BCryptGenRandom only works for subsequent calls if NtCreateWorkerFactory returns STATUS_SUCCESS. Returning STATUS_SUCCESS from NtCreateWorkerFactory causes most of the newly added syscalls to be called, and most of them need to return STATUS_SUCCESS as well; otherwise, the executable just fails to run. Fortunately, from my testing, nothing seems to break from just returning STATUS_SUCCESS without a proper implementation.
Sogen
Sogen is a high-performance Windows user space emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities.
Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required.
Built in C++ and powered by the Unicorn Engine (or the icicle-emu 🆕).
Try it out: sogen.dev
Key Features
- 🔄 Syscall-Level Emulation
- Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs
- 📝 Advanced Memory Management
- Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management
- 📦 Complete PE Loading
- Handles executable and DLL loading with proper memory mapping, relocations, and TLS
- ⚡ Exception Handling
- Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support
- 🧵 Threading Support
- Provides a scheduled (round-robin) threading model
- 💾 State Management
- Supports both full state serialization and
fast in-memory snapshots(currently broken 😕)
- Supports both full state serialization and
- 💻 Debugging Interface
- Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...)
Note
The project is still in a very early, prototypical state. The code still needs a lot of cleanup and many features and syscalls need to be implemented. However, constant progress is being made :)
Preview
YouTube Overview
Click here for the slides.
Quick Start (Windows + Visual Studio)
Tip
Checkout the Wiki for more details on how to build & run the emulator on Windows, Linux, macOS, ...
1. Checkout the code:
git clone --recurse-submodules https://github.com/momo5502/sogen.git
2. Run the following command in an x64 Development Command Prompt in the cloned directory:
cmake --preset=vs2022
3. Build the solution that was generated at build/vs2022/emulator.sln
4. Create a registry dump by running the grab-registry.bat as administrator and place it in the artifacts folder next to the analyzer.exe
5. Run the program of your choice:
analyzer.exe C:\example.exe