GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → qilingframework → Qiling

qilingframework / Qiling

Licence: gpl-2.0
Qiling Advanced Binary Emulation Framework

Programming Languages

python
139335 projects - #7 most used programming language
CodeQL
11 projects

Labels

frameworkreverse-engineeringemulatoranalysismalwarebinaryuefiunicorn-emulatorunicorn-engineqilingcross-architecture

Projects that are alternatives of or similar to Qiling

Simpleator
Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".
Stars: ✭ 260 (-90.77%)
Mutual labels:  emulator, malware, reverse-engineering
Replica
Ghidra Analysis Enhancer 🐉
Stars: ✭ 194 (-93.11%)
Mutual labels:  analysis, binary, reverse-engineering
Php Malware Analysis
Deobfuscation and analysis of PHP malware captured by a WordPress honey pot
Stars: ✭ 82 (-97.09%)
Mutual labels:  analysis, malware, reverse-engineering
Unicorn
Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, PowerPC, RiscV, X86)
Stars: ✭ 4,934 (+75.21%)
Mutual labels:  framework, emulator, reverse-engineering
Simplify
Android virtual machine and deobfuscator
Stars: ✭ 3,865 (+37.25%)
Mutual labels:  emulator, malware, reverse-engineering
Zelos
A comprehensive binary emulation and instrumentation platform.
Stars: ✭ 298 (-89.42%)
Mutual labels:  binary, emulator, malware
Gtirb
Intermediate Representation for Binary analysis and transformation
Stars: ✭ 190 (-93.25%)
Mutual labels:  analysis, binary, reverse-engineering
Ddisasm
A fast and accurate disassembler
Stars: ✭ 325 (-88.46%)
Mutual labels:  analysis, binary, reverse-engineering
Binee
Binee: binary emulation environment
Stars: ✭ 408 (-85.51%)
Mutual labels:  analysis, binary, malware
Anti Emulator
Android Anti-Emulator
Stars: ✭ 587 (-79.15%)
Mutual labels:  emulator, malware, reverse-engineering
Data
APTnotes data
Stars: ✭ 1,126 (-60.01%)
Mutual labels:  analysis, malware
Malware Analysis Scripts
Collection of scripts for different malware analysis tasks
Stars: ✭ 61 (-97.83%)
Mutual labels:  malware, reverse-engineering
Novuscore
A modern take on WoW emulation
Stars: ✭ 88 (-96.87%)
Mutual labels:  framework, emulator
Illuminatejs
IlluminateJS is a static JavaScript deobfuscator
Stars: ✭ 96 (-96.59%)
Mutual labels:  analysis, malware
Locky
Stars: ✭ 61 (-97.83%)
Mutual labels:  analysis, malware
Bap
Binary Analysis Platform
Stars: ✭ 1,385 (-50.82%)
Mutual labels:  emulator, reverse-engineering
S2e
S2E: A platform for multi-path program analysis with selective symbolic execution.
Stars: ✭ 102 (-96.38%)
Mutual labels:  analysis, reverse-engineering
Pecli
CLI tool to analyze PE files
Stars: ✭ 46 (-98.37%)
Mutual labels:  malware, reverse-engineering
Arsenal
Extensible Red Team Framework
Stars: ✭ 99 (-96.48%)
Mutual labels:  framework, malware
Keystone
Keystone assembler framework: Core (Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ & X86) + bindings
Stars: ✭ 1,654 (-41.26%)
Mutual labels:  framework, reverse-engineering
View All Similar Projects ➔

Downloads Chat on Telegram

Qiling is an advanced binary emulation framework, with the following features:

  • Emulate multi-platforms: Windows, MacOS, Linux, BSD, UEFI, DOS, MBR, Ethereum Virtual Machine
  • Emulate multi-architectures: X86, X86_64, Arm, Arm64, MIPS, 8086
  • Support multiple file formats: PE, MachO, ELF, COM, MBR
  • Support Windows Driver (.sys), Linux Kernel Module (.ko) & MacOS Kernel (.kext) via Demigod
  • Emulates & sandbox code in an isolated environment
  • Provides a fully configurable sandbox
  • Provides in-depth memory, register, OS level and filesystem level API
  • Fine-grain instrumentation: allows hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
  • Provides virtual machine level API such as save and restore current execution state
  • Supports cross architecture and platform debugging capabilities
  • Built-in debugger with reverse debugging capability
  • Allows dynamic hotpatch on-the-fly running code, including the loaded library
  • True framework in Python, making it easy to build customized security analysis tools on top

Qiling also made its way to various international conferences.

2021:

2020:

2019:

Qiling is backed by Unicorn engine.

Visit our website https://www.qiling.io for more information.

License

This project is released and distributed under free software license GPLv2 and later version.

Qiling vs other Emulators

There are many open source emulators, but two projects closest to Qiling are Unicorn & Qemu usermode. This section explains the main differences of Qiling against them.

Qiling vs Unicorn engine

Built on top of Unicorn, but Qiling & Unicorn are two different animals.

  • Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions, that can understand emulator memory. Beyond that, Unicorn is not aware of higher level concepts, such as dynamic libraries, system calls, I/O handling or executable formats like PE, MachO or ELF. As a result, Unicorn can only emulate raw machine instructions, without Operating System (OS) context
  • Qiling is designed as a higher level framework, that leverages Unicorn to emulate CPU instructions, but can understand OS: it has executable format loaders (for PE, MachO & ELF at the moment), dynamic linkers (so we can load & relocate shared libraries), syscall & IO handlers. For this reason, Qiling can run executable binary without requiring its native OS
Qiling vs Qemu usermode

Qemu usermode does similar thing to our emulator, that is to emulate whole executable binaries in cross-architecture way. However, Qiling offers some important differences against Qemu usermode.

  • Qiling is a true analysis framework, that allows you to build your own dynamic analysis tools on top (in friendly Python language). Meanwhile, Qemu is just a tool, not a framework
  • Qiling can perform dynamic instrumentation, and can even hotpatch code at runtime. Qemu does not do either
  • Not only working cross-architecture, Qiling is also cross-platform, so for example you can run Linux ELF file on top of Windows. In contrast, Qemu usermode only run binary of the same OS, such as Linux ELF on Linux, due to the way it forwards syscall from emulated code to native OS
  • Qiling supports more platforms, including Windows, MacOS, Linux & BSD. Qemu usermode can only handle Linux & BSD

Installation

Please see setup guide file for how to install Qiling Framework.

Examples

  • Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine
from qiling import *

# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs)
    # now emulate the EXE
    ql.run()

if __name__ == "__main__":
    # execute Windows EXE under our rootfs
    my_sandbox(["examples/rootfs/x86_windows/bin/x86_hello.exe"], "examples/rootfs/x86_windows")
  • Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display "Congratulation" dialog
from qiling import *

def force_call_dialog_func(ql):
    # get DialogFunc address
    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
    # setup stack memory for DialogFunc
    ql.stack_push(0)
    ql.stack_push(1001)
    ql.stack_push(273)
    ql.stack_push(0)
    ql.stack_push(0x0401018)
    # force EIP to DialogFunc
    ql.reg.eip = lpDialogFunc


def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs)
    # NOP out some code
    ql.patch(0x004010B5, b'\x90\x90')
    ql.patch(0x004010CD, b'\x90\x90')
    ql.patch(0x0040110B, b'\x90\x90')
    ql.patch(0x00401112, b'\x90\x90')
    # hook at an address with a callback
    ql.hook_address(force_call_dialog_func, 0x00401016)
    ql.run()


if __name__ == "__main__":
    my_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")

The below Youtube video shows how the above example works.

Emulating ARM router firmware on Ubuntu X64 machine

  • Qiling Framework hot-patch and emulates ARM router's /usr/bin/httpd on a X86_64Bit Ubuntu

qiling Tutorial: Emulating and Fuzz ARM router firmware

Qiling's IDAPro Plugin: Instrument and Decrypt Mirai's Secret

  • This video demonstrate how Qiling's IDAPro plugin able to make IDApro run with Qiling instrumentation engine

GDBserver with IDAPro demo

  • Solving a simple CTF challenge with Qiling Framework and IDAPro

Solving a simple CTF challenge with Qiling Framework and IDAPro

Emulating MBR

  • Qiling Framework emulates MBR

qiling DEMO: Emulating MBR

Qltool

Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

With qltool, easy execution can be performed:

With shellcode:

$ ./qltool shellcode --os linux --arch arm --hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex

With binary file:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs  examples/rootfs/x8664_linux/

With binary and GDB debugger enable:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux

See https://docs.qiling.io/ for more details

With code coverage collection (UEFI only for now):

$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov

With json output (Windows mainly):

$ ./qltool run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs  examples/rootfs/x86_windows/ --console False --json

Contact

Get the latest info from our website https://www.qiling.io

Contact us at email [email protected], or via Twitter @qiling_io or Weibo

Core developers, Key Contributors and etc

Please refer to CREDITS.TXT

This is an awesome project! Can I donate?

Yes, checkout SWAG

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].