Malware-analysis

qiling v1.2.4.1 releases: Advanced Binary Emulation framework

Qiling – Advanced Binary Emulation framework

Qiling is an advanced binary emulation framework, with the following features:

  • Cross-platform: Windows, MacOS, Linux, BSD
  • Cross architecture: X86, X86_64, Arm, Arm64, Mips
  • Multiple file formats: PE, MachO, ELF
  • Emulate & sandbox machine code in an isolated environment
  • Provide high-level API to setup & configure the sandbox
  • Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
  • Allow dynamic hotpatch on-the-fly running code, including the loaded library
  • True framework in Python, make it easy to build customized security analysis tools on top

Qiling is backed by Unicorn engine.

Changelog v1.2.4

  • Added custom engine extension
  • Added more posix syscall
  • Refactor: Posix syscall- Refactor: Memory management
  • Refactor: Heap management
  • Cleanup and getting ready for engine module

Install

git clone https://github.com/qilingframework/qiling.git
cd qiling
python3 setup.py install

Use

  • Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.
  • Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display “Congratulation” dialog.

Qltool

Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

To emulate a binary, run:

$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/

To run shellcode, run:

$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm

Demo

Copyright (C) 2019

Source: https://github.com/qilingframework/

Related Articles

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Back to top button