Qiling – Advanced Binary Emulation framework
Qiling is an advanced binary emulation framework, with the following features:
- Cross-platform: Windows, MacOS, Linux, BSD
- Cross architecture: X86, X86_64, Arm, Arm64, Mips
- Multiple file formats: PE, MachO, ELF
- Emulate & sandbox machine code in an isolated environment
- Provide high-level API to setup & configure the sandbox
- Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
- Allow dynamic hotpatch on-the-fly running code, including the loaded library
- True framework in Python, make it easy to build customized security analysis tools on top
Qiling is backed by Unicorn engine.
- Added custom engine extension
- Added more posix syscall
- Refactor: Posix syscall- Refactor: Memory management
- Refactor: Heap management
- Cleanup and getting ready for engine module
git clone https://github.com/qilingframework/qiling.git
python3 setup.py install
- Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.
- Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display “Congratulation” dialog.
Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.
To emulate a binary, run:
$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/
To run shellcode, run:
$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm
Copyright (C) 2019
- kaijern (xwings) Lau [email protected]
- Nguyen Anh Quynh [email protected]
- tianze (Dliv3) Ding [email protected]
- bowen (w1tcher) Sun [email protected]
- huitao (null) Chen [email protected]