Skip to main content
Sogen Banner

What is Sogen?

Sogen is a high-performance Windows user space emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities. Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required. Built in C++ and powered by the Unicorn Engine or the icicle-emu.
Caution is advised when analyzing malware in Sogen, as host isolation might not be perfect. To mitigate potential risk, use the web version to benefit from the additional safety provided by your browser’s sandbox.

Key Features

Syscall-Level Emulation

Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs

Advanced Memory Management

Supports Windows-specific memory types including reserved, committed, built on top of Unicorn’s memory management

Complete PE Loading

Handles executable and DLL loading with proper memory mapping, relocations, and TLS

Exception Handling

Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support

Threading Support

Provides a scheduled (round-robin) threading model

State Management

Supports full state serialization for saving and restoring emulator state

Debugging Interface

Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, …)

Cross-Platform

Runs on Windows, Linux, macOS, iOS, Android, and even in browsers via WebAssembly

Use Cases

Security Research

Sogen provides researchers with complete control over program execution, enabling:
  • Deep inspection of malware behavior
  • API call monitoring and manipulation
  • Memory access tracking
  • Exception and crash analysis

DRM Analysis

The syscall-level emulation allows researchers to:
  • Analyze protection mechanisms
  • Monitor licensing checks
  • Study anti-debugging techniques
  • Trace cryptographic operations

Reverse Engineering

Integrated debugging support enables:
  • Step-by-step execution analysis
  • GDB protocol compatibility with IDA Pro, VS Code, and other tools
  • Instruction-level tracing
  • Register and memory inspection

Architecture

Sogen’s architecture is designed around syscall interception: 
Windows Application
        |
        v
    Win32 API (DLLs)
        |
        v
    Syscall Layer  <-- Sogen intercepts here
        |
        v
  Emulated Kernel
        |
        v
   Unicorn/Icicle Engine
By operating at the syscall level, Sogen can use real Windows DLLs (like ntdll.dll, kernel32.dll, etc.) while maintaining complete control over kernel-level operations.

Quick Example

Here’s how simple it is to emulate a Windows program: 
analyzer.exe C:\path\to\program.exe
With advanced options: 
# Enable verbose logging
analyzer.exe -v C:\program.exe

# Launch with GDB debugging
analyzer.exe -d --port 28960 C:\program.exe

# Track specific modules
analyzer.exe -m user32.dll -x C:\program.exe

Getting Started

Quick Start

Get up and running in minutes with your first emulated program

Installation

Detailed installation instructions for Windows, Linux, and macOS

Platform Support

Sogen has been tested and works on:
  • Windows: x86, x86_64 (native and MinGW)
  • Linux: x86_64 (GCC and Clang)
  • macOS: arm64 (Apple Silicon), x86_64 (Intel)
  • Mobile: iOS arm64, Android (x86_64, arm64-v8a)
  • Web: WebAssembly (with and without Memory64)

Community & Support

License

Sogen is licensed under the GPL-2.0 License.

Build docs developers (and LLMs) love

Get started for freeTalk to us