{"id":13484203,"url":"https://github.com/qilingframework/qiling","last_synced_at":"2025-05-13T15:10:26.494Z","repository":{"id":37396668,"uuid":"203799854","full_name":"qilingframework/qiling","owner":"qilingframework","description":"A True Instrumentable Binary Emulation Framework","archived":false,"fork":false,"pushed_at":"2025-05-06T02:27:20.000Z","size":75519,"stargazers_count":5410,"open_issues_count":95,"forks_count":742,"subscribers_count":124,"default_branch":"master","last_synced_at":"2025-05-06T03:27:49.202Z","etag":null,"topics":["analysis","binary","cross-architecture","emulator","framework","malware","qiling","reverse-engineering","uefi","unicorn-emulator","unicorn-engine"],"latest_commit_sha":null,"homepage":"https://qiling.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qilingframework.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-08-22T13:22:15.000Z","updated_at":"2025-05-06T02:01:57.000Z","dependencies_parsed_at":"2022-07-08T16:47:12.712Z","dependency_job_id":"13196015-44e9-4e32-b448-a02eb5927325","html_url":"https://github.com/qilingframework/qiling","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qilingframework%2Fqiling","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qilingframework%2Fqiling/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qilingframework%2Fqiling/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qilingframework%2Fqiling/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qilingframework","download_url":"https://codeload.github.com/qilingframework/qiling/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253969247,"owners_count":21992263,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","binary","cross-architecture","emulator","framework","malware","qiling","reverse-engineering","uefi","unicorn-emulator","unicorn-engine"],"created_at":"2024-07-31T17:01:20.573Z","updated_at":"2025-05-13T15:10:21.480Z","avatar_url":"https://github.com/qilingframework.png","language":"Python","readme":"[![Documentation Status](https://readthedocs.org/projects/qilingframework/badge/?version=latest)](https://docs.qiling.io)\n[![Downloads](https://pepy.tech/badge/qiling)](https://pepy.tech/project/qiling)\n[![Chat on Telegram](https://img.shields.io/badge/Chat%20on-Telegram-brightgreen.svg)](https://t.me/qilingframework)\n\n---\n\n\u003cp align=\"center\"\u003e\n\u003cimg width=\"150\" height=\"150\" src=\"https://raw.githubusercontent.com/qilingframework/qiling/master/docs/qiling2_logo_small.png\"\u003e\n\u003c/p\u003e\n\n[Qiling's use case, blog and related work](https://github.com/qilingframework/qiling/issues/134)\n\nQiling is an advanced binary emulation framework, with the following features:\n\n- Emulate multi-platforms: Windows, macOS, Linux, Android, BSD, UEFI, DOS, MBR.\n- Emulate multi-architectures: 8086, X86, X86_64, ARM, ARM64, MIPS, RISC-V, PowerPC.\n- Support multiple file formats: PE, Mach-O, ELF, COM, MBR.\n- Support Windows Driver (.sys), Linux Kernel Module (.ko) \u0026 macOS Kernel (.kext) via [Demigod](https://groundx.io/demigod/).\n- Emulates \u0026 sandbox code in an isolated environment.\n- Provides a fully configurable sandbox.\n- Provides in-depth memory, register, OS level and filesystem level API.\n- Fine-grain instrumentation: allows hooks at various levels\n  (instruction/basic-block/memory-access/exception/syscall/IO/etc.)\n- Provides virtual machine level API such as saving and restoring the current execution state.\n- Supports cross architecture and platform debugging capabilities.\n- Built-in debugger with reverse debugging capability.\n- Allows dynamic hot patch on-the-fly running code, including the loaded library.\n- True framework in Python, making it easy to build customized security analysis tools on top.\n\nQiling also made its way to various international conferences.\n\n2022:\n- [Black Hat, EU](https://www.blackhat.com/eu-22/arsenal/schedule/#reversing-mcu-with-firmware-emulation-29553)\n- [Black Hat, MEA](https://blackhatmea.com/node/724)\n\n2021:\n- [Black Hat, USA](https://www.blackhat.com/us-21/arsenal/schedule/index.html#bringing-the-x-complete-re-experience-to-smart-contract-24119)\n- [Hack In The Box, Amsterdam](https://conference.hitb.org/hitbsecconf2021ams/sessions/when-qiling-framework-meets-symbolic-execution/)\n- [Black Hat, Asia](https://www.blackhat.com/asia-21/arsenal/schedule/index.html#qiling-smart-analysis-for-smart-contract-22643)\n\n2020:\n- [Black Hat, Europe](https://www.blackhat.com/eu-20/arsenal/schedule/index.html#qiling-framework-deep-dive-into-obfuscated-binary-analysis-21781)\n- [Black Hat, USA](https://www.blackhat.com/us-20/arsenal/schedule/index.html#qiling-framework-from-dark-to-dawn-----enlightening-the-analysis-of-the-most-mysterious-iot-firmware--21062)\n- [Black Hat, USA (Demigod)](https://www.blackhat.com/us-20/briefings/schedule/#demigod-the-art-of-emulating-kernel-rootkits-20009)\n- [Black Hat, Asia](https://www.blackhat.com/asia-20/arsenal/schedule/index.html#qiling-lightweight-advanced-binary-analyzer-19245)\n- [Hack In The Box, Lockdown 001](https://conference.hitb.org/lockdown-livestream/)\n- [Hack In The Box, Lockdown 002](https://conference.hitb.org/hitb-lockdown002/virtual-labs/virtual-lab-qiling-framework-learn-how-to-build-a-fuzzer-based-on-a-1day-bug/)\n- [Hack In The Box, Cyberweek](https://cyberweek.ae/2020/lab-qiling-framework/)\n- [Nullcon](https://nullcon.net/website/goa-2020/speakers/kaijern-lau.php)\n    \n2019:\n\n- [DEFCON, USA](https://www.defcon.org/html/defcon-27/dc-27-demolabs.html#QiLing)\n- [Hitcon](https://hitcon.org/2019/CMT/agenda)\n- [Zeronights](https://zeronights.ru/report-en/qiling-io-advanced-binary-emulation-framework/)\n\n\nQiling is backed by [Unicorn Engine](http://www.unicorn-engine.org).\n\nVisit our [website](https://www.qiling.io) for more information.\n\n---\n#### License\n\nThis program is free software; you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation; either version 2 of the License, or\n(at your option) any later version.\n\n---\n\n#### Qiling vs. other Emulators\n\nThere are many open-source emulators, but two projects closest to Qiling\nare [Unicorn](http://www.unicorn-engine.org) \u0026 [QEMU user mode](https://qemu.org).\nThis section explains the main differences of Qiling against them.\n\n##### Qiling vs. Unicorn engine\n\nBuilt on top of Unicorn, but Qiling \u0026 Unicorn are two different animals.\n\n- Unicorn is just a CPU emulator, so it focuses on emulating CPU instructions,\n  that can understand emulator memory.\n  Beyond that, Unicorn is not aware of higher level concepts, such as dynamic\n  libraries, system calls, I/O handling or executable formats like PE, Mach-O\n  or ELF. As a result, Unicorn can only emulate raw machine instructions,\n  without Operating System (OS) context.\n- Qiling is designed as a higher level framework, that leverages Unicorn to\n  emulate CPU instructions, but can understand OS: it has executable format\n  loaders (for PE, Mach-O \u0026 ELF currently), dynamic linkers (so we can\n  load \u0026 relocate shared libraries), syscall \u0026 IO handlers. For this reason,\n  Qiling can run executable binary without requiring its native OS.\n\n##### Qiling vs. QEMU user mode\n\nQEMU user mode does a similar thing to our emulator, that is, to emulate whole\nexecutable binaries in a cross-architecture way. \nHowever, Qiling offers some important differences against QEMU user mode:\n\n- Qiling is a true analysis framework,\n  that allows you to build your own dynamic analysis tools on top (in Python).\n  Meanwhile, QEMU is just a tool, not a framework.\n- Qiling can perform dynamic instrumentation, and can even hot patch code at\n  runtime. QEMU does neither.\n- Not only working cross-architecture, Qiling is also cross-platform.\n  For example, you can run Linux ELF file on top of Windows.\n  In contrast, QEMU user mode only runs binary of the same OS, such as Linux\n  ELF on Linux, due to the way it forwards syscall from emulated code to\n  native OS.\n- Qiling supports more platforms, including Windows, macOS, Linux \u0026 BSD. QEMU\n  user mode can only handle Linux \u0026 BSD.\n\n---\n\n#### Installation\n\nPlease see [setup guide](https://docs.qiling.io/en/latest/install/) file for how to install Qiling Framework.\n\n---\n\n#### Examples\n\nThe example below shows how to use Qiling framework in the most\nstraightforward way to emulate a Windows executable.\n\n```python\nfrom qiling import Qiling\n\nif __name__ == \"__main__\":\n    # initialize Qiling instance, specifying the executable to emulate and the emulated system root.\n    # note that the current working directory is assumed to be Qiling home\n    ql = Qiling([r'examples/rootfs/x86_windows/bin/x86_hello.exe'], r'examples/rootfs/x86_windows')\n\n    # start emulation\n    ql.run()\n```\n\n- The following example shows how a Windows crackme may be patched dynamically\n  to make it always display the “Congratulation” dialog.\n\n```python\nfrom qiling import Qiling\n\ndef force_call_dialog_func(ql: Qiling):\n    # get DialogFunc address from current stack frame\n    lpDialogFunc = ql.stack_read(-8)\n\n    # setup stack memory for DialogFunc\n    ql.stack_push(0)\n    ql.stack_push(1001)     # IDS_APPNAME\n    ql.stack_push(0x111)    # WM_COMMAND\n    ql.stack_push(0)\n\n    # push return address\n    ql.stack_push(0x0401018)\n\n    # resume emulation from DialogFunc address\n    ql.arch.regs.eip = lpDialogFunc\n\n\nif __name__ == \"__main__\":\n    # initialize Qiling instance\n    ql = Qiling([r'rootfs/x86_windows/bin/Easy_CrackMe.exe'], r'rootfs/x86_windows')\n\n    # NOP out some code\n    ql.patch(0x004010B5, b'\\x90\\x90')\n    ql.patch(0x004010CD, b'\\x90\\x90')\n    ql.patch(0x0040110B, b'\\x90\\x90')\n    ql.patch(0x00401112, b'\\x90\\x90')\n\n    # hook at an address with a callback\n    ql.hook_address(force_call_dialog_func, 0x00401016)\n    ql.run()\n```\n\nThe below YouTube video shows how the above example works.\n\n#### Emulating ARM router firmware on Ubuntu x64 host\n\nQiling Framework hot-patches and emulates an ARM router's `/usr/bin/httpd` on\nan x86_64 Ubuntu host.\n\n[![Qiling Tutorial: Emulating and Fuzz ARM router firmware](https://github.com/qilingframework/theme.qiling.io/blob/master/source/img/fuzzer.jpg?raw=true)](https://www.youtube.com/watch?v=e3_T3KLh2NU)\n\n#### Qiling's IDA Pro Plugin: Instrument and Decrypt Mirai's Secret\n\nThis video demonstrates how Qiling's IDA Pro plugin can make IDA Pro run with\nQiling instrumentation engine.\n\n[![Qiling's IDA Pro Plugin: Instrument and Decrypt Mirai's Secret](http://img.youtube.com/vi/ZWMWTq2WTXk/0.jpg)](http://www.youtube.com/watch?v=ZWMWTq2WTXk)\n\n#### GDB server with IDA Pro demo\n\nSolving a simple CTF challenge with Qiling Framework and IDA Pro\n\n[![Solving a simple CTF challenge with Qiling Framework and IDA Pro](https://i.ytimg.com/vi/SPjVAt2FkKA/0.jpg)](https://www.youtube.com/watch?v=SPjVAt2FkKA)\n\n\n#### Emulating MBR\n\nQiling Framework emulates MBR\n\n[![Qiling DEMO: Emulating MBR](https://github.com/qilingframework/theme.qiling.io/blob/master/source/img/mbr.png?raw=true)](https://github.com/qilingframework/theme.qiling.io/blob/master/source/img/mbr.png?raw=true)\n\n---\n\n#### Qltool\n\nQiling also provides a friendly tool named `qltool` to quickly emulate shellcode \u0026 executable binaries.\n\nWith qltool, easy execution can be performed:\n\n\nWith shellcode:\n\n```\n$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex\n```\n\nWith binary file:\n\n```\n$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs  examples/rootfs/x8664_linux/\n```\n\nWith binary and GDB debugger enabled:\n\n```\n$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux\n```\n\nWith code coverage collection (UEFI only for now):\n\n```\n$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov\n```\n\nWith JSON output (Windows, mainly):\n\n```\n$ ./qltool run -f examples/rootfs/x86_windows/bin/x86_hello.exe --rootfs  examples/rootfs/x86_windows/ --console False --json\n```\n---\n\n\n#### Contact\n\nGet the latest info from our website https://www.qiling.io\n\nContact us at email info@qiling.io,\nvia Twitter [@qiling_io](https://twitter.com/qiling_io).\n\n---\n\n#### Core developers, Key Contributors and etc.\n\nPlease refer to [CREDITS.md](https://github.com/qilingframework/qiling/blob/dev/CREDITS.md).\n","funding_links":[],"categories":["Python","By Industry","Tools","Resources","Tools :hammer:","其他_安全与渗透","Firmware Security","By Language","Software Tools","🛠️ General Tools"],"sub_categories":["Tools \u0026 Utilities","Dynamic Analysis Tools","By Purpose","网络服务_其他","Dynamic Analysis and Emulation","Python","Emulation Tools","🔬 Format Analysis \u0026 Reverse Engineering"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqilingframework%2Fqiling","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqilingframework%2Fqiling","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqilingframework%2Fqiling/lists"}