emulator

A high-performance Windows process emulator that operates at syscall level, providing full control over process execution through comprehensive hooking capabilities.

Built in C++ and powered by the Unicorn Engine.

• Syscall-Level Emulation
  • Instead of reimplementing Windows APIs, the emulator operates at the syscall level, allowing it to leverage existing system DLLs
• Advanced Memory Management
  • Supports Windows-specific memory types including reserved, committed, built on top of Unicorn's memory management
• ? Complete PE Loading
  • Handles executable and DLL loading with proper memory mapping, relocations, and TLS
• ⚡ Exception Handling
  • Implements Windows structured exception handling (SEH) with proper exception dispatcher and unwinding support
• ? Threading Support
  • Provides a scheduled (round-robin) threading model
• ? State Management
  • Supports both full state serialization and fast in-memory snapshots
• Debugging Interface
  • Implements GDB serial protocol for integration with common debugging tools (IDA Pro, GDB, LLDB, VS Code, ...)

Perfect for security research, malware analysis, and DRM research where fine-grained control over process execution is required.

Click here for the slides.

• Windows 64-bit (see Issue 17 for cross-platform status)
• CMake
• Git

Clone the repository with submodules:

git clone https://github.com/momo5502/emulator.git
cd emulator
git submodule update --init --recursive

Run the following commands in an x64 Development Command Prompt

cmake --preset=vs2022

Solution will be generated at build/vs2022/emulator.sln

Debug build:

cmake --workflow --preset=debug

Release build:

cmake --workflow --preset=release

The project uses CTest for testing. Choose your preferred method:

Visual Studio:

• Build the RUN_TESTS target

Ninja:

cd build/release  # or build/debug
ctest