Skip to main content
Dr.Semu monitors kernel object operations to track synchronization primitives and named objects. Object names are virtualized to isolate different analysis sessions.

Mutex Operations

NtCreateMutant

Creates a mutex object.
MutantHandle
PHANDLE
Receives a handle to the mutex
DesiredAccess
ACCESS_MASK
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes including name
InitialOwner
BOOLEAN
Whether the calling thread should own the mutex
Logged Information:
  • Mutex name
  • Operation success status
Special Handling:
  • Object names are virtualized to prevent conflicts between analysis sessions
  • If mutex already exists with original name (system mutex), passes through unchanged
  • Otherwise, name is redirected to virtualized namespace

NtOpenMutant

Opens an existing mutex object.
MutantHandle
PHANDLE
Receives a handle to the mutex
DesiredAccess
ACCESS_MASK
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes identifying the mutex
Logged Information:
  • Mutex name
  • Operation success status
Special Handling:
  • Checks if mutex exists with original name first
  • If not found, redirects to virtualized name

Semaphore Operations

NtCreateSemaphore

Creates a semaphore object.
SemaphoreHandle
PHANDLE
Receives a handle to the semaphore
DesiredAccess
ACCESS_MASK
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes including name
InitialCount
LONG
Initial count for the semaphore
MaximumCount
LONG
Maximum count for the semaphore
Logged Information:
  • Semaphore name
  • Operation success status
Special Handling:
  • Object names are virtualized
  • System semaphores (already existing) pass through unchanged

NtOpenSemaphore

Opens an existing semaphore object.
SemaphoreHandle
PHANDLE
Receives a handle to the semaphore
DesiredAccess
ACCESS_MASK
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes identifying the semaphore
Logged Information:
  • Semaphore name
  • Operation success status

Event Operations

NtCreateEvent

Creates an event object.
EventHandle
PHANDLE
Receives a handle to the event
DesiredAccess
ACCESS_MASK
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes including name
EventType
EVENT_TYPE
Type of event (NotificationEvent or SynchronizationEvent)
InitialState
BOOLEAN
Initial state of the event (signaled or not)
Logged Information:
  • Event name
  • Operation success status
Special Handling:
  • Object names are virtualized
  • System events (already existing) pass through unchanged

NtOpenEvent

Opens an existing event object.
EventHandle
PHANDLE
Receives a handle to the event
DesiredAccess
ACCESS_MASK
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes identifying the event
Logged Information:
  • Event name
  • Operation success status

Mailslot Operations

NtCreateMailslotFile

Creates a mailslot.
FileHandle
PHANDLE
Receives a handle to the mailslot
DesiredAccess
ULONG
Desired access rights
ObjectAttributes
POBJECT_ATTRIBUTES
Object attributes including mailslot name
IoStatusBlock
PIO_STATUS_BLOCK
Receives I/O status information
CreateOptions
ULONG
Options for creating the mailslot
MailslotQuota
ULONG
Maximum size of messages
MaximumMessageSize
ULONG
Maximum size of a single message
ReadTimeout
PLARGE_INTEGER
Read timeout for the mailslot
Logged Information:
  • Mailslot name
  • Operation success status
Special Handling:
  • Object names are virtualized

Wait Operations

NtWaitForSingleObject

Waits for an object to enter the signaled state.
Handle
HANDLE
Handle to the object to wait on
Alertable
BOOLEAN
Whether the wait is alertable
Timeout
PLARGE_INTEGER
Optional timeout value
Note: Currently passes through without modification.

Object Queries

NtQueryObject

Retrieves information about an object.
Handle
HANDLE
Handle to the object
ObjectInformationClass
OBJECT_INFORMATION_CLASS
Type of information to retrieve
ObjectInformation
PVOID
Buffer to receive the information
ObjectInformationLength
ULONG
Size of the buffer
ReturnLength
PULONG
Receives the size of data returned
Special Handling:
  • For ObjectNameInformation on file handles, virtual filesystem paths are converted back to original paths
  • Ensures analyzed binaries see expected file paths

Object Virtualization

All named kernel objects (mutexes, semaphores, events, mailslots) are virtualized by Dr.Semu:
  1. Name Redirection: Object names are prefixed with a session-specific identifier
  2. System Object Preservation: Objects that already exist with the original name (system objects) are not redirected
  3. Session Isolation: Different analysis sessions can create objects with the same names without conflicts
This allows multiple instances of Dr.Semu to run simultaneously without interference while preserving interaction with genuine system objects.

Build docs developers (and LLMs) love

Get started for freeTalk to us