Qiling - 高级二进制仿真框架

Qiling - 高级二进制仿真框架

Qiling is an advanced binary emulation framework, with the following features:

Cross platform: Windows, MacOS, Linux, BSD, UEFICross architecture: X86, X86_64, Arm, Arm64, MIPSMultiple file formats: PE, MachO, ELFEmulate & sandbox machine code in a isolated environmentSupports cross architecture and platform debugging capabilitiesProvide high level API to setup & configure the sandboxFine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)Allow dynamic hotpatch on-the-fly running code, including the loaded libraryTrue framework in Python, making it easy to build customized security analysis tools on top

Qiling is backed by Unicorn engine.

Visit our website https://qiling.io for more information.

License

This project is released and distributed under free software license GPLv2.

Qiling vs other Emulators

There are many open source emulators, but two projects closest to Qiling are Unicorn & Qemu usermode. This section explains the main differences of Qiling against them.

Qiling vs Unicorn engine

Built on top of Unicorn, but Qiling & Unicorn are two different animals.

Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions, that can understand emulator memory. Beyond that, Unicorn is not aware of higher level concepts, such as dynamic libraries, system calls, I/O handling or executable formats like PE, MachO or ELF. As a result, Unicorn can only emulate raw machine instructions, without Operating System (OS) context.Qiling is designed as a higher level framework, that leverages Unicorn to emulate CPU instructions, but can understand OS: it has executable format loaders (for PE, MachO & ELF at the moment), dynamic linkers (so we can load & relocate shared libraries), syscall & IO handlers. For this reason, Qiling can run executable binary without requiring its native OS.

Qiling vs Qemu usermode

Qemu usermode does similar thing to our emulator, that is to emulate whole executable binaries in cross-architecture way. However, Qiling offers some important differences against Qemu usermode.

Qiling is a true analysis framework, that allows you to build your own dynamic analysis tools on top (in friendly Python language). Meanwhile, Qemu is just a tool, not a framework.Qiling can perform dynamic instrumentation, and can even hotpatch code at runtime. Qemu does not do either.Not only working cross-architecture, Qiling is also cross-platform, so for example you can run Linux ELF file on top of Windows. In contrast, Qemu usermode only run binary of the same OS, such as Linux ELF on Linux, due to the way it forwards syscall from emulated code to native OS.Qiling supports more platforms, including Windows, MacOS, Linux & BSD. Qemu usermode can only handles Linux & BSD.

Installation

Please see setup guide file for how to install Qiling Framework.

Examples

Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.

from qiling import *# sandbox to emulate the EXEdef my_sandbox(path, rootfs): # setup Qiling engine ql = Qiling(path, rootfs) # now emulate the EXE ql.run()if __name__ == "__main__": # execute Windows EXE under our rootfs my_sandbox(["examples/rootfs/x86_windows/bin/x86_hello.exe"], "examples/rootfs/x86_windows")

Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display "Congratulation" dialog.

from qiling import *def force_call_dialog_func(ql): # get DialogFunc address lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4)) # setup stack memory for DialogFunc ql.stack_push(0) ql.stack_push(1001) ql.stack_push(273) ql.stack_push(0) ql.stack_push(0x0401018) # force EIP to DialogFunc ql.reg.eip = lpDialogFuncdef my_sandbox(path, rootfs): ql = Qiling(path, rootfs) # NOP out some code ql.patch(0x004010B5, b'\x90\x90') ql.patch(0x004010CD, b'\x90\x90') ql.patch(0x0040110B, b'\x90\x90') ql.patch(0x00401112, b'\x90\x90') # hook at an address with a callback ql.hook_address(force_call_dialog_func, 0x00401016) ql.run()if __name__ == "__main__": my_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")

The below Youtube video shows how the above example works.

GDBserver with IDAPro demo

Solving a simple CTF challenge with Qiling Framework and IDAPro

Fuzzing with Qiling Unicornalf

More information on fuzzing with Qiling Unicornalf can be found here.

Emulating ARM router firmware on Ubuntu X64 machine

Qiling Framework hot-patch and emulates ARM router's /usr/bin/httpd on a X86_64Bit Ubuntu

Emulating UEFI

Qiling Framework emulates UEFI

Qltool

Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

With qltool, easy execution can be performed:

With shellcode:

$ ./qltool shellcode --os linux --arch arm --hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex

With binary file:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux/

With binary and GDB debugger enable:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux

See https://docs.qiling.io/ for more details

Remote Debugger

Qiling supports remote debugging now.

See https://docs.qiling.io/ for more details

Contact

Get the latest info from our website https://qiling.io

Contact us at email info@qiling.io, or via Twitter @qiling_io or Weibo

Core developers

LAU kaijern (xwings) kj@qiling.ioNGUYEN Anh Quynh aquynh@gmail.comDING tianZe (D1iv3) dddliv3@gmail.comSUN bowen (w1tcher) w1tcher.bupt@gmail.comCHEN huitao (null) null@qiling.ioYU tong (sp1ke) spikeinhouse@gmail.comEarl Marcus (klks84) klks84@gmail.com

Travis-CI, Docker and Website

FOO Kevin (chfl4gs) chbsd64@qiling.io

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。