Sogen Windows user-space emulator bindings

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for momo5502 from gravatar.com momo5502

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v2 (GPLv2) (GPL-2.0-only)
  • Author: momo5502
  • Requires: Python >=3.9
Classifiers
Report project as malware

Project description

Sogen

Sogen exposes Python bindings for its Windows userspace emulator. The Python API is meant for scripting runs, building small analysis helpers, and quickly iterating on callbacks and hooks without rebuilding C++.

Install from PyPI:

pip install sogen

Project links:

What you need

The Python package still needs an emulation root at runtime. Download ready-made root here:

Extract it somewhere convenient, for example:

./root

Most examples in this document use:

emulation_root="./root"

Quick start

import sogen

app = sogen.windows.create_application(
    "c:/test-sample.exe",
    emulation_root="./root",
)

app.callbacks.on_stdout = lambda text: print(text, end="")
app.start()
print("exit status:", app.process.exit_status)

Minimal example with file + port mappings

from pathlib import Path
import sogen

app = sogen.windows.create_application(
    "c:/test-sample.exe",
    emulation_root="./root",
    path_mappings={"c:/a.txt": Path("./a.txt")},
    port_mappings={28970: 28980},
)

app.callbacks.on_stdout = lambda text: print(text, end="")
app.start()
print("exit status:", app.process.exit_status)

Choosing backend

sogen.windows.create_empty() and sogen.windows.create_application() accept an explicit backend.

import sogen

emu = sogen.windows.create_empty(
    emulation_root="./root",
    backend=sogen.Backend.unicorn,
)

Available values:

  • sogen.Backend.unicorn
  • sogen.Backend.icicle
  • sogen.Backend.whp

Default is sogen.Backend.unicorn.

High-level structure

Main entry points:

  • sogen.windows.create_empty(...)
  • sogen.windows.create_application(...)

Compatibility aliases currently remain at top level:

  • sogen.create_empty(...)
  • sogen.create_application(...)

Common objects exposed by the bindings:

  • sogen.windows.Emulator / sogen.windows.WindowsEmulator
  • ProcessContext
  • Thread
  • MemoryManager
  • Hooks
  • Callbacks

Common things you will do:

  • run application with app.start()
  • watch output with app.callbacks.on_stdout
  • react to module loads with app.callbacks.on_module_load
  • intercept WinAPI calls with app.hooks.apis[...]
  • read/write emulator memory with read_memory() / write_memory()
  • save and restore state with save_snapshot() / restore_snapshot()

Callbacks

Example: print loaded modules.

import sogen

app = sogen.windows.create_application(
    "c:/test-sample.exe",
    emulation_root="./root",
)


def on_module_load(module):
    print(f"loaded {module.name} @ 0x{module.entry_point:x}")


app.callbacks.on_module_load = on_module_load
app.start()

Useful callback slots include:

  • app.callbacks.on_stdout
  • app.callbacks.on_syscall
  • app.callbacks.on_memory_violate
  • app.callbacks.on_module_load
  • app.callbacks.on_module_unload

API hooks

API hooks are registered through app.hooks.apis.

Use @sogen.windows.api_call(...) to describe calling convention and parameters. Top-level sogen.api_call(...) remains as compatibility alias.

Observe API call, then run original

import ctypes
import sogen

app = sogen.windows.create_application(
    "c:/test-sample.exe",
    emulation_root="./root",
)


@sogen.windows.api_call(cc=sogen.CallingConvention.stdcall, params=[ctypes.c_uint32])
def on_sleep(call, params):
    print(f"Sleep({params[0]})")


app.hooks.apis["Sleep"] = on_sleep
app.start()

Intercept API call and return custom value

import sogen

app = sogen.windows.create_application(
    "c:/hook-sample.exe",
    emulation_root="./root",
)


@sogen.windows.api_call(cc=sogen.CallingConvention.stdcall, params=[])
def on_get_current_process_id(call, params):
    call.return_value = 0xC0FFEE01
    return sogen.ApiContinuation.intercept


app.hooks.apis["GetCurrentProcessId"] = on_get_current_process_id
app.start()
print(app.process.exit_status)

Hook keys can be either:

  • bare API name, for example "Sleep"
  • qualified module form, for example "kernel32!Sleep"

Memory and state

The emulator exposes direct state access.

import sogen

emu = sogen.windows.create_empty(emulation_root="./root")
base = emu.memory.allocate_memory(0x1000, sogen.MemoryPermission.read_write)
emu.write_memory(base, b"ABCD")
print(emu.read_memory(base, 4))

state = emu.serialize_state()
emu.write_memory(base, b"WXYZ")
emu.deserialize_state(state)
print(emu.read_memory(base, 4))

For checkpoint-style workflows, use snapshots:

emu.save_snapshot()
# ... mutate state ...
emu.restore_snapshot()

Examples

Small runnable example:

  • examples/python/basic_usage.py

Example setup notes:

  • examples/python/README.md

Current limitations / expectations

  • bindings require an emulation root
  • samples in this repo assume Windows-style guest paths like c:/...
  • some workflows are easiest to validate against repo sample binaries such as test-sample.exe and hook-sample.exe
  • backend availability depends on platform and how Sogen was built

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for momo5502 from gravatar.com momo5502

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v2 (GPLv2) (GPL-2.0-only)
  • Author: momo5502
  • Requires: Python >=3.9
Classifiers

Release history Release notifications | RSS feed

0.0.1.dev4189 pre-release

0.0.1.dev4169 pre-release

0.0.1.dev4155 pre-release

0.0.1.dev4150 pre-release

0.0.1.dev4143 pre-release

0.0.1.dev4137 pre-release

0.0.1.dev4132 pre-release

0.0.1.dev4126 pre-release

0.0.1.dev4122 pre-release

0.0.1.dev4120 pre-release

0.0.1.dev4112 pre-release

0.0.1.dev4109 pre-release

0.0.1.dev4107 pre-release

0.0.1.dev4104 pre-release

0.0.1.dev4101 pre-release

0.0.1.dev4099 pre-release

0.0.1.dev4085 pre-release

0.0.1.dev3996 pre-release

0.0.1.dev3976 pre-release

0.0.1.dev3973 pre-release

0.0.1.dev3968 pre-release

0.0.1.dev3928 pre-release

0.0.1.dev3926 pre-release

0.0.1.dev3924 pre-release

0.0.1.dev3919 pre-release

0.0.1.dev3917 pre-release

0.0.1.dev3911 pre-release

0.0.1.dev3905 pre-release

0.0.1.dev3880 pre-release

0.0.1.dev3878 pre-release

This version

0.0.1.dev3875 pre-release

0.0.1.dev3870 pre-release

0.0.1.dev3869 pre-release

0.0.1.dev3860 pre-release

0.0.1.dev3858 pre-release

0.0.1.dev3819 pre-release

0.0.1.dev3815 pre-release

0.0.1.dev3814 pre-release

0.0.1.dev3810 pre-release

0.0.1.dev3808 pre-release

0.0.1.dev3796 pre-release

0.0.1.dev3774 pre-release

0.0.1.dev3748 pre-release

0.0.1.dev3742 pre-release

0.0.1.dev3740 pre-release

0.0.1.dev3731 pre-release

0.0.1.dev3727 pre-release

0.0.1.dev3706 pre-release

0.0.1.dev3701 pre-release

0.0.1.dev3696 pre-release

0.0.1.dev3692 pre-release

0.0.1.dev3690 pre-release

0.0.1.dev3686 pre-release

0.0.1.dev3682 pre-release

0.0.1.dev3678 pre-release

0.0.1.dev3675 pre-release

0.0.1.dev3671 pre-release

0.0.1.dev3663 pre-release

0.0.1.dev3662 pre-release

0.0.1.dev3660 pre-release

0.0.1.dev3653 pre-release

0.0.1.dev3650 pre-release

0.0.1.dev3646 pre-release

0.0.1.dev3616 pre-release

0.0.1.dev3610 pre-release

0.0.1.dev3604 pre-release

0.0.1.dev3603 pre-release

0.0.1.dev3601 pre-release

0.0.1.dev3600 pre-release

0.0.1.dev3599 pre-release

0.0.1.dev3591 pre-release

0.0.1.dev3590 pre-release

0.0.1.dev3583 pre-release

0.0.1.dev3578 pre-release

0.0.1.dev3530 pre-release

0.0.1.dev3528 pre-release

0.0.1.dev3524 pre-release

0.0.1.dev3516 pre-release

0.0.1.dev3514 pre-release

0.0.1.dev3513 pre-release

0.0.1.dev3512 pre-release

0.0.1.dev3505 pre-release

0.0.1.dev3497 pre-release

0.0.1.dev3488 pre-release

0.0.1.dev3486 pre-release

0.0.1.dev3485 pre-release

0.0.1.dev3483 pre-release

0.0.1.dev3478 pre-release

0.0.1.dev3477 pre-release

0.0.1.dev3476 pre-release

0.0.1.dev3471 pre-release

0.0.1.dev3459 pre-release

0.0.1.dev3458 pre-release

0.0.1.dev3455 pre-release

0.0.1.dev3445 pre-release

0.0.1.dev3440 pre-release

0.0.1.dev3425 pre-release

0.0.1.dev3422 pre-release

0.0.1.dev3408 pre-release

0.0.1.dev3391 pre-release

0.0.1.dev1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sogen-0.0.1.dev3875.tar.gz (41.3 MB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

sogen-0.0.1.dev3875-cp39-cp39-win_amd64.whl (4.8 MB view details)

Uploaded CPython 3.9Windows x86-64

sogen-0.0.1.dev3875-cp39-cp39-manylinux_2_39_x86_64.whl (8.5 MB view details)

Uploaded CPython 3.9manylinux: glibc 2.39+ x86-64

sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_x86_64.whl (6.7 MB view details)

Uploaded CPython 3.9macOS 15.0+ x86-64

sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_arm64.whl (5.8 MB view details)

Uploaded CPython 3.9macOS 15.0+ ARM64

File details

Details for the file sogen-0.0.1.dev3875.tar.gz.

File metadata

  • Download URL: sogen-0.0.1.dev3875.tar.gz
  • Upload date:
  • Size: 41.3 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sogen-0.0.1.dev3875.tar.gz
Algorithm Hash digest
SHA256 d989e64203b35bfddfef3fdd2dde0fe880e615f2f93decae40bfad63e0035aea
MD5 9405c9722bf30fa9d61a0d250da1a412
BLAKE2b-256 2b29772e6f0be206cfe8ffb1aeff963f4ff4a100bd9ac2755e6f23ae51c9a9ad

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3875.tar.gz:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3875-cp39-cp39-win_amd64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3875-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 99c4cc62b4480f408ecb2ab7718db09a12392a6ee677ea3563d4cd813aac9e58
MD5 54bf1469d8684dd05543134e96bd0cb3
BLAKE2b-256 80d5e530646ffb2def0873406ef55710d11c7c478c8f614e86b5c50e5d39ab7c

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3875-cp39-cp39-win_amd64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3875-cp39-cp39-manylinux_2_39_x86_64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3875-cp39-cp39-manylinux_2_39_x86_64.whl
Algorithm Hash digest
SHA256 5c2321f035239623cbe1f23de3eb8eb4ea82d15db5b5cdd1d50886759b2640a4
MD5 214b727140292db33634a0598b4765e6
BLAKE2b-256 037c1694bca58428abecaf51bf954c375f93625c0b398b97c87fd039d82fb10d

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3875-cp39-cp39-manylinux_2_39_x86_64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_x86_64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_x86_64.whl
Algorithm Hash digest
SHA256 58e6bbde51b83d97f382f6e95d5a13b69ccb063cd74837d34b0a6615975cbce1
MD5 f4c7d26341f6ca5d5061c069d584b9a8
BLAKE2b-256 50c0ed193ee04a4621e3384c258dd8a9fe8f61a9096481d8d9dded067664bdc0

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_x86_64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_arm64.whl.

File metadata

File hashes

Hashes for sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_arm64.whl
Algorithm Hash digest
SHA256 6db8008cbd4d405a666a973ddad80506de06d16081561a75402a0cd4edd2259d
MD5 19ac3e5f21011bf20e6f77c0a92567de
BLAKE2b-256 5d0fcaf32f862917be7d74b1dc8ef34b17ed0d0cd50f8b813f5d8495bbe17937

See more details on using hashes here.

Provenance

The following attestation bundles were made for sogen-0.0.1.dev3875-cp39-cp39-macosx_15_0_arm64.whl:

Publisher: build-push.yml on momo5502/sogen

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page