Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what framework is Qiling", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what framework is Qiling" this article.

Qiling is a powerful advanced code simulation framework that is driven by the Unicorn engine and has the following features:

1. Cross-platform support: Windows, macOS, Linux, BSD

2. Cross-architecture support: x86, x86 / 64, ARM, ARM64, etc.

3. Multi-file structure support: PE, MachO, ELF

4. Simulate in isolated environment & sandboxie system code

5. Provide advanced API to install and configure sandboxie environment

6. Fine-grained display: allows you to set multiple levels of hooks (instruction/basic-block/memory-access/exception/syscall/IO, etc.)

Allow dynamic patching of running program code, including loaded libraries

8. Python framework support, which allows you to build and customize security analysis tools

Comparison between Qiling and other simulators

Currently, there are many open source simulators in the community, and the closest ones to Qiling are Unicorn and Qemu.

Qiling vs Unicorn engine

Although Qiling is implemented based on Unicorn, the two are completely different:

1. Unicorn is just a CPU simulator, which is mainly aimed at simulating CPU instructions. Unicorn does not recognize advanced concepts such as dynamic libraries, system calls, Imax O processing, or executable file formats such as PE, MachO, or ELF. Therefore, Unicorn can only simulate raw device instructions and cannot be applied to operating system context scenarios.

2. Qiling is a high-level framework that can use Unicorn to simulate CPU instructions, but it can also understand the operating system context. It integrates executable file format loaders, dynamic links, system calls and Icano processors. More importantly, Qiling can run executable source code without the need for a native operating system.

Qiling vs Qemu user mode

The Qemu user mode is similar to our Qiling in that it simulates the source code of the entire executable across schemas. However, what makes Qiling different is:

1. Qiling is a true analysis framework that allows us to build our own dynamic analysis tools (using Python). Beyond that, Qemu is just a tool, not a framework.

2. Qiling can execute dynamic instructions and make code patches at run time, which Qemu cannot do.

3. Qiling supports cross-platform, but Qemu user mode can only be used on the same operating system as the source code environment.

4. Qiling supports more platforms, including Windows, macOS and Linux&BSD, but Qemu user mode only supports Linux&BSD.

Tool installation

The majority of researchers can use the following command to install Qiling (Note: please set up the Python 3 environment before installation):

Python3 setup.py install

Sample use of tools

In the following example, we will demonstrate how to use the Qiling framework to simulate the target Windows executable on a Linux device:

From qiling import * # sandbox to emulate the EXEdef my_sandbox (path, rootfs): # setup Qiling engineql = Qiling (path, rootfs) # now emulate the EXEql.run () if _ _ name__ = "_ _ main__": # execute Windows EXE under our rootfsmy_sandbox (["examples/rootfs/x86_windows/bin/x86-windows-hello.exe"], "examples/rootfs/x86_windows")

In the following example, we will demonstrate how to use the Qiling framework to dynamically fix Windows crackme and display relevant information in the "Congratulation" dialog box:

From qiling import * def force_call_dialog_func (ql): # get DialogFunc addresslpDialogFunc = ql.unpack32 (ql.mem_read (ql.sp-0x8, 4)) # setup stack memory for DialogFuncql.stack_push (0) ql.stack_push (1001) ql.stack_push (1001) ql.stack_push (0) ql.stack_push (0x0401018) # force EIP to DialogFuncql.pc = lpDialogFuncdef my_sandbox (path, rootfs): ql = Qiling (path, rootfs) # NOP out some codeql.patch (0x004010B5 B'\ x90\ x90') ql.patch (0x004010CD, b'\ x90\ x90') ql.patch (0x0040110B, b'\ x90\ x90') ql.patch (0x00401112, b'\ x90\ x90') # hook at an address with a callbackql.hook_address (0x00401016, force_call_dialog_func) ql.run () if _ name__ = "_ main__": my_sandbox (["rootfs/x86_windows/bin/Easy_CrackMe.exe"] "rootfs/x86_windows") tool demo video Qiling DEMO 1: dynamically fix Windows crackme

Video address: https://v.qq.com/x/page/m3061ozrz3s.html

Wannacry DEMO: how to use Qiling to analyze Wannacry malware

Video address: https://v.qq.com/x/page/h4061l4445g.html

Qltool

Qiling also provides a powerful tool called qltool, which can help us quickly simulate the source code of the target Shellcode or executable.

The following command can directly simulate the target source code:

$. / qltool run-f examples/rootfs/arm_linux/bin/arm32-hello-rootfs examples/rootfs/arm_linux/

To simulate Shellcode, you need to run the following command:

$. / qltool shellcode-os linux-arch x86-asm-f examples/shellcodes/lin32_execve.asm license Agreement

The development and release of the Qiling project follows the GPLv2 open source license agreement.

The above is all the content of the article "what frame is Qiling?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.