Contained Execution
Launch a Windows executable inside a contained runtime that mirrors the host. All writes are redirected into a sandbox image.
Run Windows applications inside a believable, contained environment with forensic-grade observability — file and registry I/O, process lifecycle, network attempts, and memory snapshots — while keeping the host safe. Designed for native-like execution that’s indistinguishable from the host with near‑lossless performance.
Kernova provides the sweet spot between authenticity and control: a sandbox that preserves a program’s normal view of a Windows host while giving the analyst full visibility, containment, and replayability.
Kernova will be implemented primarily in C for predictable performance, small binaries and direct control over OS interfaces. Select components will use assembly where low-level hooks, syscall stubs or highly tuned hot paths are warranted.
Core runtime (C): launcher/controller, environment mirror, event bus, and artifact management built in C for portability and tight control.
Instrumentation (C): file/registry/process/network instrumentation using well-defined OS APIs, minimizing footprint and preserving timing.
Targeted assembly: minimal, localized routines for syscall shims, context capture, and fast-path probes where C isn’t granular enough.
Interop boundaries: clean interfaces between C modules and any assembly stubs to maintain readability and testability.
Prefer a straightforward build toolchain with clear targets for the launcher, instrumentation libraries, and optional helpers. Keep code isolated behind feature flags and clear abstraction layers.
Kernova is a stealthy, high-fidelity sandbox for Windows apps. It mirrors a realistic host environment so targets behave authentically — often indistinguishable from running on the host — while side effects are routed into an isolated image with deep, structured telemetry and near‑lossless performance.
Kernova offers realistic environment fidelity to reduce sandbox detection, granular observability across file, registry, process, network, and memory, strong containment so writes never touch the real host, and repeatable runs with replay and diffing across configurations.
Lightweight sandboxes can change behaviour or get detected; full VMs are heavy and difficult to instrument. Kernova aims for the middle ground: believable fidelity + deep observability + strong containment for safe, insightful analysis.
Launch a Windows executable inside a contained runtime that mirrors the host. All writes are redirected into a sandbox image.
Log file/registry I/O, process/thread lifecycle, module loads, and network attempts to a structured, timestamped event store.
Capture memory states at start, periodic intervals, end, or on-demand. Link snapshots into the event timeline for forensics.
Allow, block, or proxy outbound connections. Provide synthetic or recorded responses to coax behaviour without Internet access.
Re-run targets under saved environments and diff timelines to highlight behavioural changes across configurations.
Drag-and-drop launching, live timeline, filters, and quick export/reporting to keep analysis fast and repeatable.
Targets see a believable host — execution feels native and near‑lossless, increasing the chance of normal behaviour.
Detailed event timelines and memory captures enable precise, forensic analysis.
Side effects are contained; network paths are explicitly governed by rules.
Orchestrates runs: configuration, environment snapshot, launch, monitoring, and shutdown. Stores run metadata and annotations.
Presents a localized view of filesystem, registry, and visible services. Redirects writes into the sandbox image.
Collects file, process, module, and network events as structured records with timestamps and context.
Captures process memory at configured points; snapshots are catalogued and linked to the timeline.
Controls outbound connections: allow, block, or proxy. Supports canned responses to simulate services.
Replays event sequences or re-runs under saved environments to compute diffs between runs.
Live timeline with filters, snapshot browser, and export/report tools. CLI for automation.
User configuration is applied; the Launcher creates an isolated environment snapshot and starts the run.
Hooks emit structured events which the Event Bus timestamps and aggregates.
File and registry writes are redirected into the sandbox image; logs record virtual paths and outcomes.
Network calls traverse the Network Gate where allow/block/proxy rules are applied and logged.
Memory snapshots are captured at configured points and stored as artifacts linked into the timeline.
After shutdown, artifacts and timeline are available for review, export, or replay for comparison.
Keep the surface area close to a real Windows host at the chosen fidelity level (filesystem layout, common registry keys, expected services). Route side-effecting operations into ephemeral or versioned images so each run starts clean.
Prefer proxies and canned responses to simulate services. Instrumentation should be structured and minimally invasive to preserve observable timing and behaviour.
Define run configuration and event schema. Mock UI flows and prototype sandbox image format and metadata store.
Overlay filesystem containment; basic file and process logging; simple GUI timeline.
Network rules and logging; memory snapshots linked to the timeline; richer logging schema.
Automatic replay under saved environments and timeline diffing; side-by-side comparisons.
Filters, search, export templates, report generator; containment hardening and optional canned services.