qiling v1.2 releases: Advanced Binary Emulation framework

by do son · Published January 28, 2020 · Updated November 16, 2020

Qiling – Advanced Binary Emulation framework

Qiling is an advanced binary emulation framework, with the following features:

Cross-platform: Windows, MacOS, Linux, BSD
Cross architecture: X86, X86_64, Arm, Arm64, Mips
Multiple file formats: PE, MachO, ELF
Emulate & sandbox machine code in an isolated environment
Provide high-level API to setup & configure the sandbox
Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
Allow dynamic hotpatch on-the-fly running code, including the loaded library
True framework in Python, make it easy to build customized security analysis tools on top

Qiling is backed by Unicorn engine.

Changes since 1.1.3

Demigod finally arrived, more information about Demigod
Linux: Implement futex bitset && Check library initialization
Linux: vfork and fork syscall mappings
execve() ql.argv and ql.env fix
De-flattern with IDA plugin now supports ARM && ARM64 with experimental IDA mircocode API.
Snapshot mechanism allows saving and restoring of OS and Loader information.
Improve register handling (uppercase/lowercase) and add LR register support to arm64
Fix ELF Memory mapping issues
Fixed directory traversal bug

git clone https://github.com/qilingframework/qiling.git
cd qiling
python3 setup.py install

Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.

Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display “Congratulation” dialog.

Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

To emulate a binary, run:

$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/

To run shellcode, run:

$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm

Demo