Documentation Index
Fetch the complete documentation index at: https://mintlify.com/momo5502/sogen/llms.txt
Use this file to discover all available pages before exploring further.
The Sogen emulator runs Windows executables through the analyzer.exe tool, which provides comprehensive control and monitoring capabilities during program execution.
Basic Usage
To run a Windows program in Sogen, use the following syntax:
analyzer.exe C:\path\to\program.exe
Running with Arguments
Pass command-line arguments to the target program:
analyzer.exe C:\myapp.exe arg1 arg2 "argument with spaces"
Command-Line Options
Emulation Configuration
The emulation root defines where Sogen looks for system files and creates the virtual filesystem:
analyzer.exe -e path/to/root myapp.exe
On non-Windows platforms, the emulation root is required.
Specify a custom registry directory (default: ./registry):
analyzer.exe -r ./custom-registry myapp.exe
Map Windows paths to host filesystem paths using -p or --path:
analyzer.exe -e path/to/root -p "c:/sample.exe" "/path/to/real/sample.exe" c:/sample.exe
This is useful for analyzing specific files without copying them into the emulation root.
Logging and Analysis Options
Verbosity Levels
# Silent mode - minimal output
analyzer.exe -s myapp.exe
# Verbose logging - detailed execution information
analyzer.exe -v myapp.exe
# Concise logging - reduced log volume
analyzer.exe -c myapp.exe
Module Tracking
Track specific modules during execution:
# Track single module
analyzer.exe -m kernel32.dll myapp.exe
# Track multiple modules
analyzer.exe -m kernel32.dll -m ntdll.dll myapp.exe
Advanced Analysis
# Log read/write access to executable memory sections
analyzer.exe -x myapp.exe
# Log read access to foreign module memory
analyzer.exe -f myapp.exe
# Buffer stdout for batch processing
analyzer.exe -b myapp.exe
# Print instruction summary for analyzed modules
analyzer.exe -is myapp.exe
# Skip regular syscall logging
analyzer.exe -ss myapp.exe
State Management
Creating Snapshots
Snapshots capture the complete emulator state and can be restored later:
- Run the program with CTRL+C interrupt
- When prompted, type
y to create a snapshot
- The snapshot is saved for later use
Loading Snapshots
Restore a previously saved snapshot:
analyzer.exe -a path/to/snapshot.dump
Loading Minidumps
Analyze Windows minidump files:
analyzer.exe --minidump path/to/crash.dmp
Advanced Features
Tenet Tracer Integration
Enable execution tracing for Tenet (IDA Pro plugin):
analyzer.exe -t myapp.exe
tenet_trace.log containing the execution trace.
Reproducible Execution
Stub clocks and randomness sources for deterministic execution:
analyzer.exe -rep myapp.exe
Ignore Functions
Skip logging for specific functions:
analyzer.exe -i "NtQuerySystemInformation,NtQueryInformationProcess" myapp.exe
Complete Example
Here’s a comprehensive example combining multiple options:
analyzer.exe \
-e ./emulation-root \
-r ./registry \
-v \
-m malware.exe \
-x \
-f \
-p "c:/config.ini" "./configs/sample-config.ini" \
c:/malware.exe --server 192.168.1.1
- Sets the emulation root to
./emulation-root
- Uses registry from
./registry
- Enables verbose logging
- Tracks the
malware.exe module
- Logs executable memory access
- Logs foreign module access
- Maps a configuration file from the host system
- Runs the malware with a command-line argument
Exit Status
The analyzer exits with:
0 - Program terminated with STATUS_SUCCESS1 - Program terminated with an error status or emulation failed
The final exit status is displayed in green (success) or red (failure).