iamyeh / qiling Goto Github PK

Qiling is an advanced binary emulation framework, with the following features:

• Cross platform: Windows, MacOS, Linux, BSD
• Cross architecture: X86, X86_64, Arm, Arm64, Mips
• Multiple file formats: PE, MachO, ELF
• Emulate & sandbox machine code in a isolated enviroment
• Provide high level API to setup & configure the sandbox
• Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
• Allow dynamic hotpatch on-the-fly running code, including the loaded library
• True framework in Python, make it easy to build customized security analysis tools on top

Qiling is backed by Unicorn engine.

Visit our website https://www.qiling.io for more information.

We are currently in Alpha test phase, that will be followed by public beta release.

This is a call for testers: please email your short instroduction, with github/gitlab ID to [email protected] for shortlisting.

Evaluation will be based on your open source participation.

Run below command line to install Qiling (NOTE: you may need sudo on your platform to install to system directory).

python3 setup.py install

• Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.

from qiling import *

# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs)
    # now emulate the EXE
    ql.run()

if __name__ == "__main__":
    # execute Windows EXE under our rootfs
    my_sandbox(["examples/rootfs/x86_windows/bin/x86-windows-hello.exe"], "examples/rootfs/x86_windows")

• Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display "Congratulation" dialog.

from qiling import *

def force_call_dialog_func(ql):
    # get DialogFunc address
    lpDialogFunc = ql.unpack32(ql.mem_read(ql.sp - 0x8, 4))
    # setup stack memory for DialogFunc
    ql.stack_push(0)
    ql.stack_push(1001)
    ql.stack_push(273)
    ql.stack_push(0)
    ql.stack_push(0x0401018)
    # force EIP to DialogFunc
    ql.pc = lpDialogFunc


def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs)
    # NOP out some code
    ql.patch(0x004010B5, b'\x90\x90')
    ql.patch(0x004010CD, b'\x90\x90')
    ql.patch(0x0040110B, b'\x90\x90')
    ql.patch(0x00401112, b'\x90\x90')
    # hook at an address with a callback
    ql.hook_address(0x00401016, force_call_dialog_func)
    ql.run()


if __name__ == "__main__":
    my_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")

The below Youtube video shows how the above example works.

• The below Youtube video shows how Qiling analyzes Wannacry malware.

Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

To emulate a binary, run:

$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/

To run shellcode, run:

$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm

Get the latest info from out webiste https://www.qiling.io

Contact us at email [email protected], or via Twitter @qiling_io

任何疑问请联系麒麟框架官方微博

• kaijern (xwings) Lau [email protected]
• Nguyen Anh Quynh [email protected]
• tianze (Dliv3) Ding [email protected]
• bowen (w1tcher) Sun [email protected]
• huitao (null) Chen [email protected]