Executable Parsing
Parse Windows executables (PE), determine 32-bit vs 64-bit targets, and extract key constants and initial values.
Kernova sits between full virtual machines and basic sandboxes: a single‑application runtime that executes Windows binaries in a controlled environment while allowing carefully chosen pass‑through to the host. The focus is fidelity, low overhead, and visibility — with logging, breakpoints, and memory tooling built in.
Kernova is a lightweight, high‑fidelity sandbox for Windows executables: it parses a target binary, runs it through a controlled execution engine, and selectively passes through specific operations while adding logging and breakpoints. The result is VM‑like control for a single application, without the usual VM overhead.
Kernova is written in C, aiming for small binaries, predictable performance, and direct control over low-level execution.
Core idea: parse a Windows executable, build its memory layout, then execute the program via a controlled engine that can log and break at key points.
Selective pass-through: when the program needs OS functionality, Kernova can route specific operations through to the host while instrumenting them.
Memory tooling: inspect and modify process memory from the outside of the target’s “normal” execution path, reducing reliance on user-mode hooks.
Current work is focused on a proof-of-concept that can analyze Windows executables even on non-Windows hosts, then carry the same approach to a full Windows runtime.
Kernova is smaller than a full VM but more powerful than a basic sandbox. It aims to emulate enough of the Windows kernel-facing behaviour to keep targets behaving normally, while still allowing direct host pass-through for specific operations.
Instead of relying purely on traditional user-mode hooks, Kernova’s model is “controlled execution + selective pass-through”: run the program under an execution engine, and only allow the operations you choose — with logging and breakpoints attached.
Traditional sandboxes can be noisy and detectable, while full VMs add overhead and complexity. Kernova targets the middle ground: high fidelity, tight control, and strong introspection — focused on one application at a time.
Parse Windows executables (PE), determine 32-bit vs 64-bit targets, and extract key constants and initial values.
Run the program through an execution engine that can step, trace, and enforce which operations are allowed.
Allow specific OS interactions to pass through to the host while attaching logging, breakpoints, and policy checks.
View and edit target memory as a first-class feature, without depending on in-process user-mode hooks.
A “VM for one application” approach aims for minimal performance cost compared to full system virtualization.
Longer-term goal: support both user-mode applications and drivers under the same controlled runtime model.
Because the target runs under a controlled engine with selective pass-through, Kernova reduces reliance on obvious in-process hooks.
Breakpoints, tracing, and memory tooling are built into the runtime, making analysis and debugging straightforward.
Focused on a single application at a time, aiming for far less overhead than full VM-based approaches.
Parses the executable, resolves architecture (x86/x64), lays out memory, and initializes state.
Steps machine instructions under a controlled loop, enabling tracing, breakpoints, and policy enforcement.
Routes selected operations to the host OS while instrumenting and auditing each boundary crossing.
Structured event output for key operations (API boundary calls, memory changes, faults, and notable behaviours).
Inspect and modify memory in a controlled way, designed to minimize detectable hooking patterns.
Extend the model beyond user-mode apps to handle drivers with the same core containment + observability strategy.
Provide a clean run workflow: load target, observe execution, and export logs/artifacts for analysis.
The runtime parses the executable, determines whether it’s 32-bit or 64-bit, and prepares its initial memory state.
The program runs under a controlled execution loop that can trace instructions and enforce policies.
When OS functionality is needed, Kernova selectively passes through specific operations and instruments the boundary.
Memory can be viewed and edited as part of the runtime workflow, without relying on in-process hooks.
Key operations and anomalies are recorded as structured events for later review.
After execution, logs and artifacts can be reviewed and exported for debugging and analysis.
Model enough Windows behaviour to keep targets stable and believable, but keep the runtime small: execute under control, then selectively pass through only the operations you explicitly allow.
Where possible, prefer boundary-level instrumentation over in-process hooks. Keep logging and breakpoints attached to the execution engine so visibility remains consistent even when the target is hostile to hooking.
Executable parsing: detect x86/x64, enumerate memory constants and initial values, and validate PE handling (even on non-Windows hosts).
Controlled execution engine for user-mode targets: step/trace, breakpoints, and a minimal pass-through surface.
Logging and policy: record boundary crossings, enforce allow/deny rules, and add exportable run artifacts.
First-class memory view/edit tooling integrated into the run workflow, designed to minimize detectable hooking patterns.
Explore bringing drivers into the same model: stronger containment boundaries and expanded emulation/pass-through decisions.