GitHub - qilingframework/qiling: Qiling Advanced Binary Emulation framework
source link: https://github.com/qilingframework/qiling
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Qiling - Advanced Binary Emulation framework
Qiling is an advanced binary emulation framework, with the following features:
- Cross platform: Windows, MacOS, Linux, BSD
- Cross architecture: X86, X86_64, Arm, Arm64, Mips
- Multiple file formats: PE, MachO, ELF
- Emulate & sandbox machine code in a isolated enviroment
- Provide high level API to setup & configure the sandbox
- Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
- Allow dynamic hotpatch on-the-fly running code, including the loaded library
- True framework in Python, make it easy to build customized security analysis tools on top
Qiling is backed by Unicorn engine.
Visit our website https://www.qiling.io for more information.
Announcement
We are currently in Alpha test phase, that will be followed by public beta release.
This is a call for testers: please email your short instroduction, with github/gitlab ID to [email protected] for shortlisting.
Evaluation will be based on your open source participation.
Install
Run below command line to install Qiling (NOTE: you may need sudo on your platform to install to system directory).
python3 setup.py install
Examples
- Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.
from qiling import * # sandbox to emulate the EXE def my_sandbox(path, rootfs): # setup Qiling engine ql = Qiling(path, rootfs) # now emulate the EXE ql.run() if __name__ == "__main__": # execute Windows EXE under our rootfs my_sandbox(["examples/rootfs/x86_windows/bin/x86-windows-hello.exe"], "examples/rootfs/x86_windows")
- Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display "Congratulation" dialog.
from qiling import * # callback for code instrumentation def force_call_dialog_func(uc, address, size, ql): if address == 0x00401016: # get address of DialogFunc() lpDialogFunc = ql.unpack32(ql.mem_read(ql.sp - 0x8, 4)) # setup stack for DialogFunc() ql.stack_push(0) ql.stack_push(1001) ql.stack_push(273) ql.stack_push(0) ql.stack_push(0x0401018) # force EIP to DialogFunc() ql.pc = lpDialogFunc # sandbox to emulate Windows EXE def my_sandbox(path, rootfs): # setup Qiling engine ql = Qiling(path, rootfs) # NOP out some code ql.patch(0x004010B5, b'\x90\x90') ql.patch(0x004010CD, b'\x90\x90') ql.patch(0x0040110B, b'\x90\x90') ql.patch(0x00401112, b'\x90\x90') # instrument every instruction with callback force_call_dialog_func ql.hook_code(force_call_dialog_func) # now emulate the binary ql.run() if __name__ == "__main__": my_sandbox(["examples/rootfs/x86_windows/bin/Easy_CrackMe.exe"], "examples/rootfs/x86_windows")
The below Youtube video shows how the above example works.
Wannacry demo
- The below Youtube video shows how Qiling analyzes Wannacry malware.
Qltool
Qiling also provides a friendly tool named qltool
to quickly emulate shellcode & executable binaries.
To emulate a binary, run:
$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/
To run shellcode, run:
$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm
Contact
Get the latest info from out webiste https://www.qiling.io.
Contact us at email [email protected], or via Twitter @qiling_io.
Core developers
- kaijern (xwings) Lau [email protected]
- Nguyen Anh Quynh [email protected]
- tianze (Dliv3) Ding [email protected]
- bowen (w1tcher) Sun [email protected]
- huitao (null) Chen [email protected]
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK