├── Part 1
    ├── emulate_file.py
    ├── emulate_shellcode.py
    └── hooking_example.py
├── Part 2
    ├── QBot_decrypt_strings.py
    ├── Samples
    │   ├── QBot_unpacked.exe
    │   └── kSLØT_keylogger.dll
    └── kSLØT_fetch_imports.py
└── README.md


/Part 1/emulate_file.py:
--------------------------------------------------------------------------------
 1 | from qiling import *
 2 | 
 3 | # initialize emulator (x86-64 linux)
 4 | ql = Qiling(filename=["qiling/examples/rootfs/x8664_linux/bin/x8664_hello"], rootfs="qiling/examples/rootfs/x8664_linux")
 5 | 
 6 | # disable strace logs
 7 | ql.filter = []
 8 | 
 9 | # start emulation
10 | ql.run()
11 | 


--------------------------------------------------------------------------------
/Part 1/emulate_shellcode.py:
--------------------------------------------------------------------------------
 1 | from qiling import *
 2 | 
 3 | shellcode = b"\x41\x4a" # inc ecx; dec edx
 4 | 
 5 | # initialize emulator (x86 linux)
 6 | ql = Qiling(shellcoder=shellcode, 
 7 |             rootfs="qiling/examples/rootfs/x86_linux/",
 8 |             ostype="linux",
 9 |             archtype="x86",
10 |             output="disasm")
11 | 
12 | # set machine registers
13 | ql.reg.ecx = 0x3
14 | ql.reg.edx = 0x7
15 | 
16 | # start emulation
17 | ql.run()
18 | 
19 | # read machine registers
20 | print("ecx = 0x{:x}".format(ql.reg.ecx))
21 | print("edx = 0x{:x}".format(ql.reg.edx))
22 | 


--------------------------------------------------------------------------------
/Part 1/hooking_example.py:
--------------------------------------------------------------------------------
 1 | from capstone import *
 2 | from qiling import *
 3 | 
 4 | def hook_callback(ql, address, size):
 5 |     # read current instruction bytes
 6 |     data = ql.mem.read(address, size)
 7 |     # initialize Capstone
 8 |     md = Cs(CS_ARCH_ARM, CS_MODE_ARM)
 9 |     # disassemble current instruction
10 |     for i in md.disasm(data, address):
11 |         print("[*] 0x{:08x}: {} {}".format(i.address, i.mnemonic, i.op_str))
12 | 
13 | # initialize emulator (x86 ARM)
14 | ql = Qiling(["qiling/examples/rootfs/arm_linux/bin/arm_hello"], "qiling/examples/rootfs/arm_linux")
15 | # hook every instruction
16 | ql.hook_code(hook_callback)
17 | # start emulation (timeout in microseconds)
18 | ql.run(timeout=1000)
19 | 


--------------------------------------------------------------------------------
/Part 2/QBot_decrypt_strings.py:
--------------------------------------------------------------------------------
 1 | import idc
 2 | import idautils
 3 | from qiling import *
 4 | 
 5 | ######################################## IDAPython ########################################
 6 | 
 7 | # start/end of the decryption function
 8 | DEC_START = 0x4065B7
 9 | DEC_END   = 0x406655
10 | 
11 | # xrefs to the decryption function
12 | xrefs = idautils.CodeRefsTo(DEC_START, 0)
13 | # indexes of requested strings to decrypt
14 | indexes = {}
15 | 
16 | for x in xrefs:
17 |     # address of previous instruction where "eax" is set
18 |     ea = idc.prev_head(x)
19 |     # type of the second operand of "mov"
20 |     t = idc.get_operand_type(ea, 1)
21 |     # check if the second operand is an immediate (not dynamic value)
22 |     if t == idc.o_imm:
23 |         # get the index value (second operand)
24 |         idx = idc.get_operand_value(ea, 1)
25 |         indexes[ea] = idx
26 | 
27 | ####################################### Qiling ############################################
28 | 
29 | # initialize emulator (x86 windows)
30 | ql = Qiling(["qbot.exe"], rootfs="qiling/examples/rootfs/x86_windows")
31 | 
32 | # read string from memory address
33 | def readString(ql, addr):
34 |     res = ""
35 |     while True:
36 |         # read one byte at a time
37 |         c = ql.mem.read(addr, 1).decode()
38 |         if c == '\x00':
39 |             break
40 |         res += c
41 |         addr += 1
42 |     return res
43 | 
44 | # loop through collected indexes
45 | for ea, idx in indexes.items():
46 |     # set function parameter "eax"
47 |     ql.reg.eax = idx
48 |     # run decryption function
49 |     ql.run(begin=0x4065B7, end=0x406654)
50 |     # set decrypted string as ida comment
51 |     idc.set_cmt(ea, readString(ql, ql.reg.eax), 1)
52 | 


--------------------------------------------------------------------------------
/Part 2/Samples/QBot_unpacked.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/n1ght-w0lf/QilingForMalwareAnalysis/f8cd94c64eb72d4656b2a315d93e31e13051e6da/Part 2/Samples/QBot_unpacked.exe


--------------------------------------------------------------------------------
/Part 2/Samples/kSLØT_keylogger.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/n1ght-w0lf/QilingForMalwareAnalysis/f8cd94c64eb72d4656b2a315d93e31e13051e6da/Part 2/Samples/kSLØT_keylogger.dll


--------------------------------------------------------------------------------
/Part 2/kSLØT_fetch_imports.py:
--------------------------------------------------------------------------------
 1 | from qiling import *
 2 | from qiling.const import *
 3 | 
 4 | # initialize emulator (x86_64 windows)
 5 | ql = Qiling(["kSLØT_Keylogger.dll"], "qiling/examples/rootfs/x8664_windows")
 6 | 
 7 | DLL_MAIN = 0x1800019a0     # Adress of DLLMain function
 8 | # hinstDLL
 9 | ql.reg.rcx = 0x180000000   # Address where Qiling loads the DLL
10 | # fdwReason
11 | ql.reg.rdx = 0x1           # DLL_PROCESS_DETACH
12 | # lpvReserved
13 | ql.reg.r8 = 0x0
14 | 
15 | #FARPROC GetProcAddress(
16 | #  HMODULE hModule,
17 | #  LPCSTR  lpProcName
18 | #)
19 | def hook_GetProcAddress(ql, addr, params):
20 |     print("[*] Import: {}".format(params["lpProcName"]))
21 | 
22 | # hook GetProcAddress() on exit
23 | ql.set_api("GetProcAddress", hook_GetProcAddress, QL_INTERCEPT.EXIT)
24 | 
25 | # disable logging
26 | ql.filter = []
27 | # start emulation
28 | ql.run(begin=DLL_MAIN)
29 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # QilingForMalwareAnalysis
2 | 
3 | Code snippets for Qiling Tutorials
4 | 
5 | [https://n1ght-w0lf.github.io/tutorials/qiling-for-malware-analysis-part-1](https://n1ght-w0lf.github.io/tutorials/qiling-for-malware-analysis-part-1)
6 | 
7 | [https://n1ght-w0lf.github.io/tutorials/qiling-for-malware-analysis-part-2](https://n1ght-w0lf.github.io/tutorials/qiling-for-malware-analysis-part-2)
8 | 


--------------------------------------------------------------------------------