Qiling Framework also provides a friendly tool named qltool to quickly emulate shellcode & executable binaries.

Commands

qltool has three available commands: - run: to emulate a program binary - code: to execute a shellcode excerpt - qltui: to show terminal user interface for qltool - examples: to emit usage examples

Run Options

Option name Abbreviation Arguments Description
--filename -f filename Binary filename to emulate
--rootfs dirname Emulation root directory; this is where all libraries reside
--args ... Emulated program command line arguments

Notes: - If --filename is not specified, the last argument will be considered as program binary - If --args is not speified, all trailing arguments will be considered as program command line arguments

Code Options

Option name Abbreviation Arguments Description
--filename -f filename Input filename
--input -i hex Input hex string; only relevant when --format is set to hex
--format asm, hex, bin Specify file or input format: either an assembly, hex string or binary file
--arch x86, x8664, arm, arm_thumb, arm64, mips, a8086, evm Target architecture
--endian little, big Target endianess (default: little)
--os linux, freebsd, macos, windows, uefi, dos, evm Target operating system

Notes: - When --format is set to hex, qltool will first look for data in --input. If no input string specified, it will refer to the file specified in --filename

Common Options

Option name Abbreviation Arguments Description
--verbose -v off, default, debug, disasm, dump Set logging verbosity level
--env filename Path of a Pickle file containing an environment dictionary, or a Python string that evaluates to a dictionary
--gdb -g [server:port] Enable gdb server
--qdb Attach qdb at entry point. Currently supporting only MIPS and ARM (thumb mode)
--rr Enable qdb record and replay feature; requires `--qdb`
--profile filename Specify a profile file
--no-console Do not emit program output to stdout
--filter -e regexp Apply a filtering regexp on log output
--log-file filename Emit log to file
--log-plain Do not use colors in log output; useful when emitting log to a file
--root Enable sudo required mode
--debug-stop Stop emulation on first error; requires verbose to be set to either debug or dump
--multithread -m Execute program in multithread mode
--timeout microseconds Set emulation timeout in microseconds (1000000μs = 1s)
--coverage-file -c filename Code coverage output file
--coverage-format drcov, drcov_exact Code coverage file format
--json Emit an emulation report in JSON format

qltui

A Terminal User Interface for qltool.

  • Runs on top of qltool.
  • Accept data using an interface for run and code commands.
  • Returns an Argparse Namespace object back to qltool for execution.
  • Interactive report viewer plus an option to save it as a pdf.

qltui in action

qltui1 qltui2 qltui3 qltui4 qltui5 qltui6 qltui7

Examples

shellcode:

$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
$ ./qltool code --os linux --arch x86 --format asm -f examples/shellcodes/lin32_execve.asm

binary file:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs  examples/rootfs/x8664_linux/
$ ./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux

UEFI file:

$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --env examples/rootfs/x8664_efi/rom2_nvar.pickel

GDB debugger enable:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux

Binary file and argv:

$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_args --rootfs examples/rootfs/x8664_linux --args test1 test2 test3
$ ./qltool run --rootfs examples/rootfs/x8664_linux examples/rootfs/x8664_linux/bin/x8664_args test1 test2 test3

Binary file and various output format:

$ ./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --verbose disasm

Binary file and env:

$ ./qltool run -f jexamples/rootfs/x8664_linux/bin/tester --rootfs jexamples/rootfs/x8664_linux --env '{"LD_PRELOAD":"hijack.so"}' --verbose debug

qltui

$ ./qltool qltui