Skip to main content

Basic usage

Dr.Semu analyzes executables by running them in an isolated environment and monitoring their behavior.
Ensure you have completed the installation steps before proceeding.

Analyze a single file

To analyze a suspicious executable: 
DrSemu.exe --target C:\path\to\suspicious.exe
Dr.Semu will:
  1. Launch the executable in an isolated environment
  2. Monitor all system calls and behavior
  3. Generate a JSON report with behavioral data
  4. Run detection rules to determine if the file is malicious
  5. Display the verdict

Analyze multiple files

You can also analyze an entire directory of executables: 
DrSemu.exe --target C:\path\to\samples\
Dr.Semu will process each .exe file in the directory sequentially.

Command-line options

DrSemu.exe --target file_path

Available options

From the source code in LauncherCLI/LauncherCLI.cpp:
  • --target or -t: Path to executable or directory containing executables (required)
  • --cmd_line or -c: Command-line arguments to pass to the target executable
  • --time_limit or -l: Time limit in seconds for the target process (default: 120 seconds)

Understanding the output

During analysis

While Dr.Semu analyzes the executable, you’ll see: 
[VM_1] Connecting to virtual FS/REG...
[VM_1] Connected to virtual FS/REG!
[VM_1] virtual FS/REG: SUCCESS
[VM_1] Fake Explorer is under Dr.Semu. PID: 1234
[VM_1] Starter PID: 5678
[VM_1] Running processes:
    PID: 5678
1

Virtual environment setup

Dr.Semu creates an isolated filesystem and registry environment using ProjFS.
2

Process monitoring

The tool tracks all processes spawned by the malware, including child processes.
3

Behavioral logging

All system calls are intercepted and logged via DynamoRIO instrumentation.
4

Detection scanning

After the process terminates, detection rules analyze the behavioral data.

Analysis reports

Dr.Semu generates JSON reports in a temporary directory. Each report includes:
  • Intercepted system calls: Filesystem, registry, process, and network operations
  • Static file information: Hash, architecture, and PE metadata
  • Process hierarchy: Parent-child relationships and PIDs
Example report structure from DrSemu.cpp: 
{
  "image_path": "C:\\samples\\malware.exe",
  "starter_pid": 5678,
  "explorer_pid": 1234,
  "sha_256": "abc123..."
}

Final verdict

After analysis completes, Dr.Semu displays: 
[VM_1] Reports: C:\path\to\reports\random_id
[VM_1] Scanning...
Verdict: [Detection Result]
The verdict is determined by your detection rules in the dr_rules directory.

Example workflow

1

Prepare sample

Place your suspicious executable in a test directory:
C:\samples\suspicious.exe
2

Run analysis

Execute Dr.Semu with appropriate options:
DrSemu.exe --target C:\samples\suspicious.exe --time_limit 60
3

Monitor execution

Watch the console output as Dr.Semu:
  • Sets up the virtual environment
  • Launches the process under DynamoRIO
  • Tracks all spawned processes
4

Review results

After the process terminates (or hits the time limit):
  • Check the verdict displayed in the console
  • Review JSON reports for detailed behavioral analysis
  • Examine which detection rules triggered

How Dr.Semu works internally

Isolation mechanism

From the source code, Dr.Semu isolates malware through:
  1. Filesystem redirection: ProjFS creates a virtual filesystem at %TEMP%\dr_semu_{vm_index}
  2. Registry redirection: Clones all Registry hives to a new location and redirects accesses
  3. Process isolation: Tracks and isolates child processes
  4. Object isolation: Separates mutexes, events, and other kernel objects

System call monitoring

Dr.Semu uses DynamoRIO to intercept system calls including:
  • Filesystem: NtCreateFile, NtWriteFile, NtDeleteFile
  • Registry: NtOpenKey, NtSetValueKey, NtDeleteKey
  • Process: NtCreateUserProcess, NtWriteVirtualMemory, NtProtectVirtualMemory
  • Network: WSAStartup, gethostbyname, URLDownloadToFileW
  • Objects: NtCreateMutant, NtCreateEvent, NtWaitForSingleObject
The interception happens at the user-kernel boundary before system calls execute, allowing Dr.Semu to monitor and modify behavior without kernel hooks.

Advanced usage

Passing arguments to malware

Some malware requires command-line arguments: 
DrSemu.exe --target sample.exe --cmd_line "/install /silent"

Adjusting time limits

For malware with delayed execution: 
DrSemu.exe --target sample.exe --time_limit 300
The default time limit is 120 seconds. After this time, Dr.Semu forcefully terminates the process.

Batch analysis

Analyze multiple samples efficiently: 
DrSemu.exe --target C:\malware_samples\
Each executable runs in its own virtual machine instance with isolated reports.

Troubleshooting

If Dr.Semu fails to start, verify that ProjFS is enabled and you have administrator privileges.

Common issues

Virtual FS/REG connection fails Ensure ProjFS is enabled: 
Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart
DynamoRIO not found Verify the dynamorio directory exists in your Dr.Semu folder with the correct structure: 
dynamorio/
├── bin32/drrun.exe
└── bin64/drrun.exe
Process terminates immediately Some malware detects sandboxes. Check the JSON reports for behavioral indicators that might have triggered anti-analysis techniques.

Next steps

Detection rules

Write custom rules to detect specific malware families

Source code

Explore the Dr.Semu implementation on GitHub

Build docs developers (and LLMs) love

Get started for freeTalk to us