Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Qiling's usecase, blog and related work
Qiling is an advanced binary emulation framework, with the following features:
Qiling also made its way to various international conferences.
2022:
2021:
2020:
2019:
Qiling is backed by Unicorn engine.
Visit our website https://www.qiling.io for more information.
This project is released and distributed under free software license GPLv2 and later version.
There are many open source emulators, but two projects closest to Qiling are Unicorn & Qemu usermode. This section explains the main differences of Qiling against them.
Built on top of Unicorn, but Qiling & Unicorn are two different animals.
Qemu usermode does similar thing to our emulator, that is to emulate whole executable binaries in cross-architecture way. However, Qiling offers some important differences against Qemu usermode.
Please see setup guide file for how to install Qiling Framework.
from qiling import Qiling
if __name__ == "__main__":
# initialize Qiling instance, specifying the executable to emulate and the emulated system root.
# note that the current working directory is assumed to be Qiling home
ql = Qiling([r'examples/rootfs/x86_windows/bin/x86_hello.exe'], r'examples/rootfs/x86_windows')
# start emulation
ql.run()
from qiling import Qiling
def force_call_dialog_func(ql: Qiling):
# get DialogFunc address from current stack frame
lpDialogFunc = ql.stack_read(-8)
# setup stack memory for DialogFunc
ql.stack_push(0)
ql.stack_push(1001) # IDS_APPNAME
ql.stack_push(0x111) # WM_COMMAND
ql.stack_push(0)
# push return address
ql.stack_push(0x0401018)
# resume emulation from DialogFunc address
ql.arch.regs.eip = lpDialogFunc
if __name__ == "__main__":
# initialize Qiling instance
ql = Qiling([r'rootfs/x86_windows/bin/Easy_CrackMe.exe'], r'rootfs/x86_windows')
# NOP out some code
ql.patch(0x004010B5, b'\x90\x90')
ql.patch(0x004010CD, b'\x90\x90')
ql.patch(0x0040110B, b'\x90\x90')
ql.patch(0x00401112, b'\x90\x90')
# hook at an address with a callback
ql.hook_address(force_call_dialog_func, 0x00401016)
ql.run()
The below Youtube video shows how the above example works.
Qiling also provides a friendly tool named qltool
to quickly emulate shellcode & executable binaries.
With qltool, easy execution can be performed:
With shellcode:
$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
With binary file:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux/
With binary and GDB debugger enable:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
With code coverage collection (UEFI only for now):
$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov
With json output (Windows mainly):
$ ./qltool run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs examples/rootfs/x86_windows/ --console False --json
Get the latest info from our website https://www.qiling.io
Contact us at email info@qiling.io, or via Twitter @qiling_io or Weibo
Please refer to CREDITS.md
FAQs
Qiling is an advanced binary emulation framework that cross-platform-architecture
We found that qiling demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.