Qiling Framework also provides a friendly tool named qltool
to quickly emulate shellcode & executable binaries.
Commands
qltool
has three available commands:
- run
: to emulate a program binary
- code
: to execute a shellcode excerpt
- qltui
: to show terminal user interface for qltool
- examples
: to emit usage examples
Run Options
Option name | Abbreviation | Arguments | Description |
---|---|---|---|
--filename |
-f |
filename | Binary filename to emulate |
--rootfs |
dirname | Emulation root directory; this is where all libraries reside | |
--args |
... | Emulated program command line arguments |
Notes:
- If --filename
is not specified, the last argument will be considered as program binary
- If --args
is not speified, all trailing arguments will be considered as program command line arguments
Code Options
Option name | Abbreviation | Arguments | Description |
---|---|---|---|
--filename |
-f |
filename | Input filename |
--input |
-i |
hex | Input hex string; only relevant when --format is set to hex |
--format |
asm ,
hex ,
bin
|
Specify file or input format: either an assembly, hex string or binary file | |
--arch |
x86 ,
x8664 ,
arm ,
arm_thumb ,
arm64 ,
mips ,
a8086 ,
evm
|
Target architecture | |
--endian |
little ,
big
|
Target endianess (default: little ) |
|
--os |
linux ,
freebsd ,
macos ,
windows ,
uefi ,
dos ,
evm
|
Target operating system |
Notes:
- When --format
is set to hex
, qltool
will first look for data in --input
. If no input string specified, it will refer to the file specified in --filename
Common Options
Option name | Abbreviation | Arguments | Description |
---|---|---|---|
--verbose |
-v |
off ,
default ,
debug ,
disasm ,
dump
|
Set logging verbosity level |
--env |
filename | Path of a Pickle file containing an environment dictionary, or a Python string that evaluates to a dictionary | |
--gdb |
-g |
[server:port] | Enable gdb server |
--qdb |
Attach qdb at entry point. Currently supporting only MIPS and ARM (thumb mode) | ||
--rr |
Enable qdb record and replay feature; requires `--qdb` | ||
--profile |
filename | Specify a profile file | |
--no-console |
Do not emit program output to stdout | ||
--filter |
-e |
regexp | Apply a filtering regexp on log output |
--log-file |
filename | Emit log to file | |
--log-plain |
Do not use colors in log output; useful when emitting log to a file | ||
--root |
Enable sudo required mode | ||
--debug-stop |
Stop emulation on first error; requires verbose to be set to either debug or dump |
||
--multithread |
-m |
Execute program in multithread mode | |
--timeout |
microseconds | Set emulation timeout in microseconds (1000000μs = 1s) | |
--coverage-file |
-c |
filename | Code coverage output file |
--coverage-format |
drcov ,
drcov_exact
|
Code coverage file format | |
--json |
Emit an emulation report in JSON format |
qltui
A Terminal User Interface for qltool
.
- Runs on top of
qltool
. - Accept data using an interface for
run
andcode
commands. - Returns an
Argparse Namespace
object back toqltool
for execution. - Interactive report viewer plus an option to save it as a pdf.
qltui in action
Examples
shellcode:
$ ./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
$ ./qltool code --os linux --arch x86 --format asm -f examples/shellcodes/lin32_execve.asm
binary file:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux/
$ ./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux
UEFI file:
$ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --env examples/rootfs/x8664_efi/rom2_nvar.pickel
GDB debugger enable:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
Binary file and argv:
$ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_args --rootfs examples/rootfs/x8664_linux --args test1 test2 test3
$ ./qltool run --rootfs examples/rootfs/x8664_linux examples/rootfs/x8664_linux/bin/x8664_args test1 test2 test3
Binary file and various output format:
$ ./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --verbose disasm
Binary file and env:
$ ./qltool run -f jexamples/rootfs/x8664_linux/bin/tester --rootfs jexamples/rootfs/x8664_linux --env '{"LD_PRELOAD":"hijack.so"}' --verbose debug
qltui
$ ./qltool qltui