Repository files navigation

Qiling's usecase, blog and related work

Qiling is an advanced binary emulation framework, with the following features:

• Emulate multi-platforms: Windows, MacOS, Linux, Android, BSD, UEFI, DOS, MBR, Ethereum Virtual Machine
• Emulate multi-architectures: 8086, X86, X86_64, ARM, ARM64, MIPS, RISCV, PowerPC
• Support multiple file formats: PE, MachO, ELF, COM, MBR
• Support Windows Driver (.sys), Linux Kernel Module (.ko) & MacOS Kernel (.kext) viaDemigod
• Emulates & sandbox code in an isolated environment
• Provides a fully configurable sandbox
• Provides in-depth memory, register, OS level and filesystem level API
• Fine-grain instrumentation: allows hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
• Provides virtual machine level API such as save and restore current execution state
• Supports cross architecture and platform debugging capabilities
• Built-in debugger with reverse debugging capability
• Allows dynamic hotpatch on-the-fly running code, including the loaded library
• True framework in Python, making it easy to build customized security analysis tools on top

Qiling also made its way to various international conferences.

2022:

• Black Hat, EU
• Black Hat, MEA

2021:

• Black Hat, USA
• Hack In The Box, Amsterdam
• Black Hat, Asia

2020:

• Black Hat, Europe
• Black Hat, USA
• Black Hat, USA (Demigod)
• Black Hat, Asia
• Hack In The Box, Lockdown 001
• Hack In The Box, Lockdown 002
• Hack In The Box, Cyberweek
• Nullcon

2019:

• Defcon, USA
• Hitcon
• Zeronights

Qiling is backed byUnicorn engine.

Visit our websitehttps://www.qiling.io for more information.

This project is released and distributed underfree software license GPLv2 and later version.

There are many open source emulators, but two projects closest to Qiling areUnicorn &Qemu usermode. This section explains the main differences of Qiling against them.

Built on top of Unicorn, but Qiling & Unicorn are two different animals.

• Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions, that can understand emulator memory. Beyond that, Unicorn is not aware of higher level concepts, such as dynamic libraries, system calls, I/O handling or executable formats like PE, MachO or ELF. As a result, Unicorn can only emulate raw machine instructions, without Operating System (OS) context
• Qiling is designed as a higher level framework, that leverages Unicorn to emulate CPU instructions, but can understand OS: it has executable format loaders (for PE, MachO & ELF at the moment), dynamic linkers (so we can load & relocate shared libraries), syscall & IO handlers. For this reason, Qiling can run executable binary without requiring its native OS

Qemu usermode does similar thing to our emulator, that is to emulate whole executable binaries in cross-architecture way. However, Qiling offers some important differences against Qemu usermode.

• Qiling is a true analysis framework, that allows you to build your own dynamic analysis tools on top (in friendly Python language). Meanwhile, Qemu is just a tool, not a framework
• Qiling can perform dynamic instrumentation, and can even hotpatch code at runtime. Qemu does not do either
• Not only working cross-architecture, Qiling is also cross-platform, so for example you can run Linux ELF file on top of Windows. In contrast, Qemu usermode only run binary of the same OS, such as Linux ELF on Linux, due to the way it forwards syscall from emulated code to native OS
• Qiling supports more platforms, including Windows, MacOS, Linux & BSD. Qemu usermode can only handle Linux & BSD

Please seesetup guide file for how to install Qiling Framework.

• The example below shows how to use Qiling framework in the most striaghtforward way to emulate a Windows executable.

fromqilingimportQilingif__name__=="__main__":# initialize Qiling instance, specifying the executable to emulate and the emulated system root.# note that the current working directory is assumed to be Qiling homeql=Qiling([r'examples/rootfs/x86_windows/bin/x86_hello.exe'],r'examples/rootfs/x86_windows')# start emulationql.run()

• The following example shows how a Windows crackme may be patched dynamically to make it always display the "Congratulation" dialog.

fromqilingimportQilingdefforce_call_dialog_func(ql:Qiling):# get DialogFunc address from current stack framelpDialogFunc=ql.stack_read(-8)# setup stack memory for DialogFuncql.stack_push(0)ql.stack_push(1001)# IDS_APPNAMEql.stack_push(0x111)# WM_COMMANDql.stack_push(0)# push return addressql.stack_push(0x0401018)# resume emulation from DialogFunc addressql.arch.regs.eip=lpDialogFuncif__name__=="__main__":# initialize Qiling instanceql=Qiling([r'rootfs/x86_windows/bin/Easy_CrackMe.exe'],r'rootfs/x86_windows')# NOP out some codeql.patch(0x004010B5,b'\x90\x90')ql.patch(0x004010CD,b'\x90\x90')ql.patch(0x0040110B,b'\x90\x90')ql.patch(0x00401112,b'\x90\x90')# hook at an address with a callbackql.hook_address(force_call_dialog_func,0x00401016)ql.run()

The below Youtube video shows how the above example works.

• Qiling Framework hot-patch and emulates ARM router's /usr/bin/httpd on a X86_64Bit Ubuntu

• This video demonstrate how Qiling's IDAPro plugin able to make IDApro run with Qiling instrumentation engine

• Solving a simple CTF challenge with Qiling Framework and IDAPro

• Qiling Framework emulates MBR

Qiling also provides a friendly tool namedqltool to quickly emulate shellcode & executable binaries.

With qltool, easy execution can be performed:

With shellcode:

$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex

With binary file:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs  examples/rootfs/x8664_linux/

With binary and GDB debugger enable:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux

With code coverage collection (UEFI only for now):

$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov

With json output (Windows mainly):

$ ./qltool run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs  examples/rootfs/x86_windows/ --console False --json

Get the latest info from our websitehttps://www.qiling.io

Contact us at emailinfo@qiling.io, or via Twitter@qiling_io orWeibo

Please refer toCREDITS.md