Skip to main content
Dr.Semu monitors network operations to track network activity performed by the analyzed binary. Network operations can be optionally disabled during analysis.

Socket Operations

WSAStartup

Initializes the Windows Sockets API.
wVersionRequired
WORD
Highest version of Windows Sockets specification that the caller can use
lpWSAData
LPWSADATA
Pointer to WSADATA structure to receive details of the Windows Sockets implementation
Access Control: When internet is disabled in configuration, this call fails with WSASYSNOTREADY.

gethostbyname

Retrieves host information corresponding to a hostname.
name
const char*
Pointer to null-terminated hostname
Logged Information:
  • Hostname being resolved

URL Operations

URLDownloadToFileW

Downloads a file from the internet to a local file.
pCaller
LPUNKNOWN
Pointer to controlling IUnknown interface
szURL
LPCWSTR
URL to download from (cannot be NULL)
szFileName
LPCWSTR
Path to save the downloaded file
dwReserved
DWORD
Reserved, must be 0
lpfnCB
LPBINDSTATUSCALLBACK
Pointer to callback for progress notifications
Logged Information:
  • URL being accessed
  • Destination file path
Return Values:
  • INET_E_DOWNLOAD_FAILURE if URL is NULL or invalid

URLDownloadToCacheFileW

Downloads a file from the internet to the cache.
pCaller
LPUNKNOWN
Pointer to controlling IUnknown interface
szURL
LPCWSTR
URL to download from (cannot be NULL)
szFileName
LPWSTR
Buffer to receive the path to cached file
cchFileName
DWORD
Size of the file name buffer in characters
dwReserved
DWORD
Reserved, must be 0
lpfnCB
LPBINDSTATUSCALLBACK
Pointer to callback for progress notifications
Logged Information:
  • URL being accessed
Return Values:
  • INET_E_DOWNLOAD_FAILURE if URL is NULL or invalid

Internet Operations

InternetOpenUrlW

Opens a resource specified by a URL (Unicode version).
hInternet
HINTERNET
Handle returned by InternetOpen
lpszUrl
LPCWSTR
URL to open
lpszHeaders
LPCWSTR
Additional headers to send
dwHeadersLength
DWORD
Length of additional headers
dwFlags
DWORD
Flags controlling the operation
dwContext
DWORD_PTR
Application-defined context value
Logged Information:
  • URL being accessed

InternetOpenUrlA

Opens a resource specified by a URL (ANSI version).
hInternet
HINTERNET
Handle returned by InternetOpen
lpszUrl
LPCSTR
URL to open
lpszHeaders
LPCSTR
Additional headers to send
dwHeadersLength
DWORD
Length of additional headers
dwFlags
DWORD
Flags controlling the operation
dwContext
DWORD_PTR
Application-defined context value
Logged Information:
  • URL being accessed

Configuration

Network operations can be disabled by setting the disable_internet configuration flag. When enabled:
  • WSAStartup returns WSASYSNOTREADY
  • Other network operations are still monitored but may be blocked
This allows analysis of malware behavior when network connectivity is unavailable.

Build docs developers (and LLMs) love

Get started for freeTalk to us