- Notifications
You must be signed in to change notification settings - Fork0
Qiling Advanced Binary Emulation Framework
License
r0ck3rt/qiling
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Qiling's use case, blog and related work
Qiling is an advanced binary emulation framework, with the following features:
- Emulate multi-platforms: Windows, macOS, Linux, Android, BSD, UEFI, DOS, MBR.
- Emulate multi-architectures: 8086, X86, X86_64, ARM, ARM64, MIPS, RISC-V, PowerPC.
- Support multiple file formats: PE, Mach-O, ELF, COM, MBR.
- Support Windows Driver (.sys), Linux Kernel Module (.ko) & macOS Kernel (.kext) viaDemigod.
- Emulates & sandbox code in an isolated environment.
- Provides a fully configurable sandbox.
- Provides in-depth memory, register, OS level and filesystem level API.
- Fine-grain instrumentation: allows hooks at various levels(instruction/basic-block/memory-access/exception/syscall/IO/etc.)
- Provides virtual machine level API such as saving and restoring the current execution state.
- Supports cross architecture and platform debugging capabilities.
- Built-in debugger with reverse debugging capability.
- Allows dynamic hot patch on-the-fly running code, including the loaded library.
- True framework in Python, making it easy to build customized security analysis tools on top.
Qiling also made its way to various international conferences.
2022:
2021:
2020:
- Black Hat, Europe
- Black Hat, USA
- Black Hat, USA (Demigod)
- Black Hat, Asia
- Hack In The Box, Lockdown 001
- Hack In The Box, Lockdown 002
- Hack In The Box, Cyberweek
- Nullcon
2019:
Qiling is backed byUnicorn Engine.
Visit ourwebsite for more information.
This program is free software; you can redistribute it and/or modifyit under the terms of the GNU General Public License as published bythe Free Software Foundation; either version 2 of the License, or(at your option) any later version.
There are many open-source emulators, but two projects closest to QilingareUnicorn &QEMU user mode.This section explains the main differences of Qiling against them.
Built on top of Unicorn, but Qiling & Unicorn are two different animals.
- Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions,that can understand emulator memory.Beyond that, Unicorn is not aware of higher level concepts, such as dynamiclibraries, system calls, I/O handling or executable formats like PE, Mach-Oor ELF. As a result, Unicorn can only emulate raw machine instructions,without Operating System (OS) context.
- Qiling is designed as a higher level framework, that leverages Unicorn toemulate CPU instructions, but can understand OS: it has executable formatloaders (for PE, Mach-O & ELF currently), dynamic linkers (so we canload & relocate shared libraries), syscall & IO handlers. For this reason,Qiling can run executable binary without requiring its native OS.
QEMU user mode does a similar thing to our emulator, that is, to emulate wholeexecutable binaries in a cross-architecture way.However, Qiling offers some important differences against QEMU user mode:
- Qiling is a true analysis framework,that allows you to build your own dynamic analysis tools on top (in Python).Meanwhile, QEMU is just a tool, not a framework.
- Qiling can perform dynamic instrumentation, and can even hot patch code atruntime. QEMU does neither.
- Not only working cross-architecture, Qiling is also cross-platform.For example, you can run Linux ELF file on top of Windows.In contrast, QEMU user mode only runs binary of the same OS, such as LinuxELF on Linux, due to the way it forwards syscall from emulated code tonative OS.
- Qiling supports more platforms, including Windows, macOS, Linux & BSD. QEMUuser mode can only handle Linux & BSD.
Please seesetup guide file for how to install Qiling Framework.
The example below shows how to use Qiling framework in the moststraightforward way to emulate a Windows executable.
fromqilingimportQilingif__name__=="__main__":# initialize Qiling instance, specifying the executable to emulate and the emulated system root.# note that the current working directory is assumed to be Qiling homeql=Qiling([r'examples/rootfs/x86_windows/bin/x86_hello.exe'],r'examples/rootfs/x86_windows')# start emulationql.run()
- The following example shows how a Windows crackme may be patched dynamicallyto make it always display the “Congratulation” dialog.
fromqilingimportQilingdefforce_call_dialog_func(ql:Qiling):# get DialogFunc address from current stack framelpDialogFunc=ql.stack_read(-8)# setup stack memory for DialogFuncql.stack_push(0)ql.stack_push(1001)# IDS_APPNAMEql.stack_push(0x111)# WM_COMMANDql.stack_push(0)# push return addressql.stack_push(0x0401018)# resume emulation from DialogFunc addressql.arch.regs.eip=lpDialogFuncif__name__=="__main__":# initialize Qiling instanceql=Qiling([r'rootfs/x86_windows/bin/Easy_CrackMe.exe'],r'rootfs/x86_windows')# NOP out some codeql.patch(0x004010B5,b'\x90\x90')ql.patch(0x004010CD,b'\x90\x90')ql.patch(0x0040110B,b'\x90\x90')ql.patch(0x00401112,b'\x90\x90')# hook at an address with a callbackql.hook_address(force_call_dialog_func,0x00401016)ql.run()
The below YouTube video shows how the above example works.
Qiling Framework hot-patches and emulates an ARM router's/usr/bin/httpd
onan x86_64 Ubuntu host.
This video demonstrates how Qiling's IDA Pro plugin can make IDA Pro run withQiling instrumentation engine.
Solving a simple CTF challenge with Qiling Framework and IDA Pro
Qiling Framework emulates MBR
Qiling also provides a friendly tool namedqltool
to quickly emulate shellcode & executable binaries.
With qltool, easy execution can be performed:
With shellcode:
$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
With binary file:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux/
With binary and GDB debugger enabled:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
With code coverage collection (UEFI only for now):
$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov
With JSON output (Windows, mainly):
$ ./qltool run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs examples/rootfs/x86_windows/ --console False --json
Get the latest info from our websitehttps://www.qiling.io
Contact us at emailinfo@qiling.io,via Twitter@qiling_io.
Please refer toCREDITS.md.
About
Qiling Advanced Binary Emulation Framework
Resources
License
Stars
Watchers
Forks
Packages0
Languages
- Python99.8%
- Other0.2%