qiling v1.4.3 releases: Advanced Binary Emulation framework
Qiling – Advanced Binary Emulation framework
Qiling is an advanced binary emulation framework, with the following features:
- Cross-platform: Windows, MacOS, Linux, BSD
- Cross architecture: X86, X86_64, Arm, Arm64, Mips
- Multiple file formats: PE, MachO, ELF
- Emulate & sandbox machine code in an isolated environment
- Provide high-level API to setup & configure the sandbox
- Fine-grain instrumentation: allow hooks at various levels (instruction/basic-block/memory-access/exception/syscall/IO/etc)
- Allow dynamic hotpatch on-the-fly running code, including the loaded library
- True framework in Python, make it easy to build customized security analysis tools on top
Qiling is backed by Unicorn engine.
Changelog v1.4.3
Changes since 1.4.2
New features:
- Introduce PowerPC architecture support (#1140)
Improvements:
- Fix fuzzing for tendaac15 (#1096)
- Update unicorn version to 2.0-rc6 (#1100)
- Implemented a few more Windows msvcrt functions (#1102)
- Minor PE Loader fix (#1104)
- Minor quality changes (#1106)
- Fix cacheflush syscall typo (#1115)
- Improvements and fixes for Windows and PE (#1118)
- Add vm_context to EVM hooks (#1119)
- Load interpreter segments with correct perms and vaddr (#1120)
- Fix mistakes in fuzz_x8664_linux binary (#1121)
- Add EVM ABI helpers, fix EVM DBG stack view (#1123)
- Fix regression caused by missing exception handling when opening socket (#1124)
- CI improvement (#1128 #1134)
- Add macho load command ‘LC_LOAD_WEAK_DYLIB’ support (#1133)
- Fix breakage of non-Windows binary emulation on Windows host (#1143)
- Remove misused region bound check of unmap_all (#1144)
- Change deprecated interfaces of IDA (#1145)
- Use importlib to retrieve package version (#1146)
- New and improved gdbserver (#1148)
- Rewrite package data reading (#1150)
- Misc improvements (#1154)
- Fix memory exhaustion problem caused by the logger (#1161)
Install
git clone https://github.com/qilingframework/qiling.git
cd qiling
python3 setup.py install
Use
- Below example shows how to use Qiling framework to emulate a Windows EXE on a Linux machine.
- Below example shows how to use Qiling framework to dynamically patch a Windows crackme, make it always display “Congratulation” dialog.
Qltool
Qiling also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.
To emulate a binary, run:
$ ./qltool run -f examples/rootfs/arm_linux/bin/arm32-hello --rootfs examples/rootfs/arm_linux/
To run shellcode, run:
$ ./qltool shellcode --os linux --arch x86 --asm -f examples/shellcodes/lin32_execve.asm
Demo
Copyright (C) 2019
- kaijern (xwings) Lau kj@qiling.io
- Nguyen Anh Quynh aquynh@gmail.com
- tianze (Dliv3) Ding dddliv3@gmail.com
- bowen (w1tcher) Sun w1tcher.bupt@gmail.com
- huitao (null) Chen null@qiling.io