sogen

sogen runs Windows and Linux programs without the operating system underneath them. It emulates the CPU and fakes the system calls, loading the real system DLLs so a binary behaves like it is on a real machine. For reverse engineers and malware analysts, that means stepping through a sketchy executable, hooking any instruction, inspecting memory, and snapshotting the entire machine state, all without booting a VM or risking your host. It is open source under GPL-2.0, and there is a browser demo at sogen.dev if you want to try it before installing anything.

Running it yourself is reasonable for a tool this deep. It ships Python bindings on pip and several emulation backends (Unicorn, icicle, Hyper-V, KVM), so you trade speed against fidelity depending on what you pick. The usual emulator catch applies: not every Windows API or odd syscall is implemented, so sophisticated malware that probes for an emulated environment or hits an unsupported call can break or detect it. Expect to file the occasional issue and work around gaps.

Solo researchers and small security teams: this is a useful free addition to your kit, especially for deterministic, scriptable analysis you cannot get out of a normal sandbox. Larger teams doing heavy malware work will want it alongside commercial dynamic-analysis suites, not instead of them, since those bring broader API coverage and a support contract.

The catch is that it is a one-person project. Polished and actively developed, but one maintainer. Before you build analysis workflows on top of it, know that the bus factor is one.