What is Dr.Semu?
Dr.Semu runs executables in an isolated environment, monitors the behavior of processes, and detects malicious activity based on customizable rules created by you or the community. The tool operates entirely from user-mode, using Windows Projected File System (ProjFS) for filesystem virtualization and DynamoRIO for system call interception - providing the same effect as hooking SSDT without actually hooking anything.How it works
Dr.Semu analyzes malware through three key phases:Isolation
Executables run in a sandboxed environment with redirected filesystem and registry access. Windows ProjFS provides a virtual filesystem, while Registry hives are cloned and redirected to prevent system-wide changes.
Monitoring
DynamoRIO intercepts threads at the user-kernel boundary, capturing system calls without kernel-mode hooks. All intercepted behavior is logged to a JSON file for analysis.
Key features
User-mode sandboxing
Complete isolation through filesystem and registry redirection without kernel drivers
System call interception
Monitor all user-kernel transitions using DynamoRIO’s dynamic instrumentation
Customizable rules
Write detection rules in Python or Lua based on dynamic and static analysis
JSON reports
Detailed behavioral reports for every monitored process
Dr.Semu is in early development. While functional, you may encounter isolation-related issues and synchronization challenges.
Get started
Installation
Set up Dr.Semu with required dependencies on Windows 10
Quick start
Run your first analysis in minutes
System requirements
- OS: Windows 10 version 1809 (minimum and maximum supported version)
- Python: Python 3 x64
- DynamoRIO: Compatible release for Windows 10 1809
- Architecture: Supports both x86 and x64 executables