QBDI v0.11 releases: A Dynamic Binary Instrumentation framework
QuarkslaB Dynamic Binary Instrumentation (QBDI) is a modular, cross-platform, and cross-architecture DBI framework. It aims to support Linux, macOS, Android, iOS, and Windows operating systems running on x86, x86-64, ARM, and AArch64 architectures. Information about what is a DBI framework and how QBDI works can be found in the user documentation introduction (:ref:`user-introduction`).
Why a DBI?
Debuggers are a popular approach to analyze the execution of a binary. While those tools are convenient, they are also quite slow. This performance problem is imperceptible to human users but really takes its toll on automated tools trying to step through a complete program. The only way to get rid of the problem is to place the tool inside the binary being analyzed and this is what DBI does: injecting instrumentation code inside the binary at runtime.
Why QBDI?
Existing DBI framework was designed more than 15 years ago, focusing on features and platforms that made sense at the time. Mobile platform support is often unstable or missing and instrumentation features are either simplistic or buried in low-level details. QBDI attempts to retain the interesting features of those frameworks while avoiding their pitfalls and bringing new designs and ideas to the table.
QBDI modularity means it doesn’t contain a preferred injection method and it is designed to be used in conjunction with an external injection tool. QBDI includes a tiny (LD_PRELOAD based) Linux and macOS injector for dynamic executables (QBDIPreload), which acts as the foundation for our Python bindings (pyQBDI). QBDI is also fully integrated with Frida, a reference dynamic instrumentation toolkit, allowing anybody to use their combined powers.
x86-64 support is mature (even if SIMD memory access is not yet reported). ARM architecture is a work in progress but already sufficient to execute a simple CLI program like ls or cat. x86 and AArch64 are planned, but currently unsupported.
A current limitation is that QBDI doesn’t handle signals, multithreading (it doesn’t deal with new threads creation) and C++ exception mechanisms. However, those system-dependent features will probably not be part of the core library (KISS), and should be integrated as a new layer (to be determined how).
| CPU | Operating Systems | Execution | Memory Access Information |
|---|---|---|---|
| x86-64 | Linux, macOS, Windows | Supported | Partial (only non SIMD) |
| ARM | Linux, Android, iOS | Partial | Unsupported |
| AArch64 | Linux, Android | Unsupported | Unsupported |
| x86 | Linux, macOS, Windows | Unsupported | Unsupported |
Changelog v0.11
- Fix ARM instrumentation for ‘mov pc, lr’ (#241)
- Add switchStackAndCall API (#245)
- Rename
QBDI::InstAnalysis::moduleandQBDI::InstAnalysis::symboltoQBDI::InstAnalysis::moduleNameandQBDI::InstAnalysis::symbolName. The same changed applied in C, C++, Python and JS API, but Python and JS API deprecated but still support the previous name. - Update LLVM to LLVM17 (#253)
- Support copy and pickle for GPRState and FPRState in PyQBDI (#247, #248)
- Support python 3.12 (#247)
Copyright 2017 Quarkslab
