
Qiling Framework - Advanced Binary Emulation Framework - Fnoord
https://www.qiling.io
======
saagarjha
Sounds like a nice project, but the descriptions are a bit strange. First, it
talks a bit about securing IoT, but then it goes on to say it supports
emulating Windows, macOS, Linux, and FreeBSD? Second, on the comparisons page
it lists a number of projects but seems to miss some of the most obvious
competitors and instead compares itself to things that are related to binary
emulation but not really relevant? For example, angr (disclaimer: I have
worked with multiple people that contribute to and use the project heavily)
does binary emulation as well (using Unicorn, no less; Nguyen Anh Quynh knows
this because he gets contributions to the project, especially for the Python
bindings, to keep angr working), has a number of loader backends, and has a
bunch of fancy hooking and tracing features very similar to the ones mentioned
here (among other things), all available through a Python API just like
Qiling.

------
troughway
I would like to see a tool that combines "version control" and executable
tracing, where you can take a snapshot of stack/heap and registers and allows
you to move through each snapshot and see what changed, essentially allowing
you to replay the execution instruction by instruction (with "proper" I/O
result code/data simulation).

I know George Hotz was working on something like this before he got into the
Comma AI thing and it really caught my eye, but I don't think there is
anything out there that is "production ready" like say, IDA Pro or Ghidra or
whatever.

Anyone know if such a tool exists? I imagine it would make mapping out vtables
and such trivial.

~~~
saagarjha
Perhaps you're thinking of QIRA ([https://qira.me](https://qira.me))?

~~~
troughway
Yes - is there one for Windows by any chance?

Edit: This is the tool by George Hotz that I was referring to. I doubt it's
really production ready given he likes to start and stop projects.

~~~
dlo
> I doubt it's really production ready given he likes to start and stop
> projects

A likely good strategy for success in startups is productizing projects
started by George Hotz. :-P

------
nickysielicki
How does this compare to angr?

~~~
zznop
Angr is a static analysis and symbolic execution framework. It contains many
components. It's built around Valgrind's VEX IR and provides an API that
allows for lifting binaries from various architectures to a common IL. Angr
also provides libraries to aid in CFG recovery, concolic testing, and other
program analysis techniques. Angr does not do software emulation and is used
mostly for static analysis.

Qiling is almost entirely dynamic. Qiling provides an API that allows you to
instrument and emulate binaries. It's an extra layer on top of Unicorn (a
library that can emulate CPU instructions using QEMU). Qiling contains
ELF/PE/etc loaders and kernel syscall emulation. Think of it as qemu-user but
with a Python API allowing you to install hooks, set breakpoints, read/write
to memory, etc...

~~~
nickysielicki
I've had no trouble using angr on real binaries, including self-modifying
binaries.

> [Qiling] is an extra layer on top of Unicorn (a library that can emulate CPU
> instructions using QEMU).

This is what is mostly confusing me -- angr has support for unicorn, so how is
it different from angr's support of Unicorn?

~~~
philibuster
Unicorn is a scriptable CPU emulator. What happens though when a program uses
a system call? Qiling tries to fully emulate what the host (windows, linux,
etc) should do. Emulating the systems an OS provides is not trivial. An OS
provides networking, filesystem, loading a binary(ELF, PE, MachO) into memory,
etc.

Using QEMU with full system emulation can do some of this, but you don't get
the scriptable control and deep analysis capabilities of Unicorn.

angr, from what I gather, can be useful for targeting specific sections of
code. If you've reversed a binary enough to know where to target, this is
useful. For example, code such as as parsers which are typically complex and
vulnerable or finding a specific input to reach a desired location (i.e. ctf
challenges).

The problem qiling solves is that applications don't run in a vacuum, they are
highly dependent on the OS they run on. Emulating each OS allows for dynamic
analysis not possible with other frameworks. Some tools like Corellium provide
great system emulation, but qiling has much better potential for analysis
purposes.

The slides in the 'News' section of the page do good job of explaining in
detail. [https://www.qiling.io/docs/Qiling-
NullCon2020.pdf](https://www.qiling.io/docs/Qiling-NullCon2020.pdf)

