Awesome Open Source
Awesome Open Source


Dr.Semu runs executables in an isolated environment, monitors the behavior of a process, and based on Dr.Semu rules created by you or the community, detects if the process is malicious or not.


[The tool is in the early development stage]

whoami: @_qaz_qaz

With Dr.Semu you can create rules to detect malware based on dynamic behavior of a process.

Isolation through redirection

Everything happens from the user-mode. Windows Projected File System (ProjFS) is used to provide a virtual file system. For Registry redirection, it clones all Registry hives to a new location and redirects all Registry accesses.

See the source code for more about other redirections (process/objects isolation, etc).


Dr.Semu uses DynamoRIO (Dynamic Instrumentation Tool Platform) to intercept a thread when it's about to cross the user-kernel line. It has the same effect as hooking SSDT but from the user-mode and without hooking anything.

At this phase, Dr.Semu produces a JSON file, which contains information from the interception.


After terminating the process, based on Dr.Semu rules we receive if the executable is detected as malware or not.

Dr.Semu Rules/Detections

Dr.Semu rules

They are written in Python or LUA (located under dr_rules) and use dynamic information from the interception and static information about the sample. It's trivial to add support of other languages.


Example (Python):

Example (Lua):


  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart

DrSemu.exe --target file_path

DrSemu.exe --target files_directory




  • Use PowerShell to enable ProjFS in an elevated PowerShell window:

Enable-WindowsOptionalFeature -Online -FeatureName Client-ProjFS -NoRestart


  • Install Python 3 x64

  • Download DynamoRIO and extract into bin folder and rename to dynamorio

  • Build pe-parser-library.lib library:

    • Generate VS project from DrSemu\shared_libs\pe_parse using cmake-gui
    • Build 32-bit library under build (\shared_libs\pe_parse\build\pe-parser-library\Release\) and 64-bit one under build64
    • Change run-time library option to Multi-threaded (/MT)
  • Set LauncherCLI As StartUp Project


  • Solve isolation related issues
  • Improve synchronization
  • Update the description, add more details
  • Create a GUI for the tool


  • Minimum supported Windows version: Windows 10, version 1809 (due to Windows Projected File System)
  • Maximum supported Windows version: Windows 10, version 1809 (DynamoRIO supports Windows 10 versions until 1809)

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
c-plus-plus (18,402
windows (1,433
reverse-engineering (472
malware-analysis (134
malware-research (61
binary-analysis (51
malware-detection (34