Sogen Windows user-space emulator bindings

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for momo5502 from gravatar.com momo5502

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v2 (GPLv2) (GPL-2.0-only)
  • Author: momo5502
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description


Sogen is a high-performance Windows user space emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities.

Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required.

Built in C++ and powered by the backend of your choice:

Try it out: sogen.dev

[!WARNING]
Caution is advised when analyzing malware in Sogen, as host isolation might not be perfect.
To mitigate potential risk, use the web version to benefit from the additional safety provided by your browser's sandbox.

Key Features

  • 🔄 Syscall-Level Emulation
    • Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs
  • 📝 Advanced Memory Management
    • Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management
  • 📦 Complete PE Loading
    • Handles executable and DLL loading with proper memory mapping, relocations, and TLS
  • Exception Handling
    • Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support
  • 🧵 Threading Support
    • Provides a scheduled (round-robin) threading model
  • 💾 State Management
    • Supports both full state serialization and fast in-memory snapshots
  • 💻 Debugging Interface
    • Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...)

Preview

Preview

YouTube Overview

YouTube Video

Click here for the slides.

Python Bindings

Install with:

pip install sogen

Python bindings require an emulation root. You can download a ready-made root here, or create your own by following the instructions in the wiki.

Example:

import sogen

emu = sogen.create_application("c:/test-sample.exe", None, emulation_root="./root")


def on_module_load(module):
    if module.name.lower() == "test-sample.exe":
        emu.hooks.memory_execution_at(module.entry_point, lambda address: print(f"hit entry point: 0x{address:x}"))

emu.callbacks.on_module_load = on_module_load
emu.start()
print(emu.process.exit_status)

See examples/python/README.md for setup details and a larger example.

Quick Start (Windows + Visual Studio)

[!TIP]
Checkout the Wiki for more details on how to build & run the emulator on Windows, Linux, macOS, ...

1. Checkout the code:

git clone --recurse-submodules https://github.com/momo5502/sogen.git

2. Run the following command in an x64 Development Command Prompt in the cloned directory:

cmake --preset=vs2022

3. Build the solution that was generated at build/vs2022/emulator.sln

4. Create a registry dump by running the grab-registry.bat as administrator and place it in the artifacts folder next to the analyzer.exe

5. Run the program of your choice:

analyzer.exe C:\example.exe

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for momo5502 from gravatar.com momo5502

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v2 (GPLv2) (GPL-2.0-only)
  • Author: momo5502
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.0.1.dev4189 pre-release

0.0.1.dev4169 pre-release

0.0.1.dev4155 pre-release

0.0.1.dev4150 pre-release

0.0.1.dev4143 pre-release

0.0.1.dev4137 pre-release

0.0.1.dev4132 pre-release

0.0.1.dev4126 pre-release

0.0.1.dev4122 pre-release

0.0.1.dev4120 pre-release

0.0.1.dev4112 pre-release

0.0.1.dev4109 pre-release

0.0.1.dev4107 pre-release

0.0.1.dev4104 pre-release

0.0.1.dev4101 pre-release

0.0.1.dev4099 pre-release

0.0.1.dev4085 pre-release

0.0.1.dev3996 pre-release

0.0.1.dev3976 pre-release

0.0.1.dev3973 pre-release

0.0.1.dev3968 pre-release

0.0.1.dev3928 pre-release

0.0.1.dev3926 pre-release

0.0.1.dev3924 pre-release

0.0.1.dev3919 pre-release

0.0.1.dev3917 pre-release

0.0.1.dev3911 pre-release

0.0.1.dev3905 pre-release

0.0.1.dev3880 pre-release

0.0.1.dev3878 pre-release

0.0.1.dev3875 pre-release

0.0.1.dev3870 pre-release

0.0.1.dev3869 pre-release

0.0.1.dev3860 pre-release

0.0.1.dev3858 pre-release

0.0.1.dev3819 pre-release

0.0.1.dev3815 pre-release

0.0.1.dev3814 pre-release

0.0.1.dev3810 pre-release

0.0.1.dev3808 pre-release

0.0.1.dev3796 pre-release

0.0.1.dev3774 pre-release

0.0.1.dev3748 pre-release

0.0.1.dev3742 pre-release

0.0.1.dev3740 pre-release

0.0.1.dev3731 pre-release

0.0.1.dev3727 pre-release

0.0.1.dev3706 pre-release

0.0.1.dev3701 pre-release

0.0.1.dev3696 pre-release

0.0.1.dev3692 pre-release

0.0.1.dev3690 pre-release

0.0.1.dev3686 pre-release

0.0.1.dev3682 pre-release

0.0.1.dev3678 pre-release

0.0.1.dev3675 pre-release

0.0.1.dev3671 pre-release

0.0.1.dev3663 pre-release

0.0.1.dev3662 pre-release

0.0.1.dev3660 pre-release

0.0.1.dev3653 pre-release

0.0.1.dev3650 pre-release

0.0.1.dev3646 pre-release

0.0.1.dev3616 pre-release

0.0.1.dev3610 pre-release

0.0.1.dev3604 pre-release

0.0.1.dev3603 pre-release

0.0.1.dev3601 pre-release

0.0.1.dev3600 pre-release

0.0.1.dev3599 pre-release

0.0.1.dev3591 pre-release

0.0.1.dev3590 pre-release

0.0.1.dev3583 pre-release

0.0.1.dev3578 pre-release

0.0.1.dev3530 pre-release

0.0.1.dev3528 pre-release

0.0.1.dev3524 pre-release

0.0.1.dev3516 pre-release

0.0.1.dev3514 pre-release

0.0.1.dev3513 pre-release

0.0.1.dev3512 pre-release

0.0.1.dev3505 pre-release

This version

0.0.1.dev3497 pre-release

0.0.1.dev3488 pre-release

0.0.1.dev3486 pre-release

0.0.1.dev3485 pre-release

0.0.1.dev3483 pre-release

0.0.1.dev3478 pre-release

0.0.1.dev3477 pre-release

0.0.1.dev3476 pre-release

0.0.1.dev3471 pre-release

0.0.1.dev3459 pre-release

0.0.1.dev3458 pre-release

0.0.1.dev3455 pre-release

0.0.1.dev3445 pre-release

0.0.1.dev3440 pre-release

0.0.1.dev3425 pre-release

0.0.1.dev3422 pre-release

0.0.1.dev3408 pre-release

0.0.1.dev3391 pre-release

0.0.1.dev1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sogen-0.0.1.dev3497.tar.gz (21.0 MB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

sogen-0.0.1.dev3497-cp39-cp39-win_amd64.whl (3.7 MB view details)

Uploaded CPython 3.9Windows x86-64

sogen-0.0.1.dev3497-cp39-cp39-manylinux_2_39_x86_64.whl (6.7 MB view details)

Uploaded CPython 3.9manylinux: glibc 2.39+ x86-64

sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_x86_64.whl (5.5 MB view details)

Uploaded CPython 3.9macOS 15.0+ x86-64

sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_arm64.whl (4.7 MB view details)

Uploaded CPython 3.9macOS 15.0+ ARM64

File details

Details for the file sogen-0.0.1.dev3497.tar.gz.

File metadata

  • Download URL: sogen-0.0.1.dev3497.tar.gz
  • Upload date:
  • Size: 21.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sogen-0.0.1.dev3497.tar.gz
Algorithm Hash digest
SHA256 0d46927faa16742ede8aca1f96a8ee7fa7a14c83fa0920d2a6475f4761c067b3
MD5 bce77fac6948c5f1dd2e2122d0aeb4fa
BLAKE2b-256 8e8b32a240b3d6be93cea27c87bcf28bc2c9130ae37885b0a070f3ea92ca2472

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3497.tar.gz:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3497-cp39-cp39-win_amd64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3497-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 ed1636b46c12804eb19ce543b5d78e2fcb1b007d17a6092439633e23e274b08e
MD5 40e2d66b90400ea74cb2200d8b53d373
BLAKE2b-256 4bef560587d25223e697e13cafb3f378cac111e7b1be6b9919521f198fa100f3

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3497-cp39-cp39-win_amd64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3497-cp39-cp39-manylinux_2_39_x86_64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3497-cp39-cp39-manylinux_2_39_x86_64.whl
Algorithm Hash digest
SHA256 9d06851e729c0150b9779ea0675f4dcfeb1eeaae43528ef9cf2d8024b4879804
MD5 bc0f2de84f14b4414838cad211eb09ba
BLAKE2b-256 968cb8359d6167971b803713f32d936f022bc0430fdf19adee6aea9d6e9ccfc0

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3497-cp39-cp39-manylinux_2_39_x86_64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_x86_64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_x86_64.whl
Algorithm Hash digest
SHA256 b9ac833cbabf1f67644d8b252b973f8c707e6d0a3b4fffc5105cf027169f0da2
MD5 510b870fe76a109f27bbea9d3ad12dcb
BLAKE2b-256 f82623ff2dc5d560297b6e4e9e08c2e97c58f4cb50e59a96dead263e5487307e

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_x86_64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_arm64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_arm64.whl
Algorithm Hash digest
SHA256 5f210f3609115b79df3e8678922797649ba1617df859860135a3aa09f92a5bee
MD5 ec47ad32439a96dcd0d5a7ff5fd838be
BLAKE2b-256 8fa3ac1dd1b058a8c2f084562fe61d2f62eddfa36978969e7176eba3468dc6b5

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3497-cp39-cp39-macosx_15_0_arm64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page