麒麟框架使用--官方示例

安装

1
sudo pip3 install qiling

另外如果需要在windows上面执行Linux程序的话,需要copy windows的dll到linux,并且需要写一个登记

官方文档说明:
https://docs.qiling.io/en/latest/install/

对于常用dll,直接执行examples/scripts/dllcollector.bat就可以copy了

  1. 在linux上面模拟windows执行环境
1
2
3
4
5
6
7
8
9
10
11
12
13
14

from qiling import *

# sandbox to emulate the EXE
def my_sandbox(path, rootfs):
    # setup Qiling engine
    ql = Qiling(path, rootfs)
    # now emulate the EXE
    ql.run()

if __name__ == "__main__":
    # execute Windows EXE under our rootfs
    my_sandbox(["examples\\rootfs\\x86_windows\\bin\\x86_hello.exe"], "examples/rootfs/x86_windows")

  1. patch程序
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from qiling import *

def force_call_dialog_func(ql):
    # get DialogFunc address
    lpDialogFunc = ql.unpack32(ql.mem.read(ql.reg.esp - 0x8, 4))
    # setup stack memory for DialogFunc
    ql.stack_push(0)
    ql.stack_push(1001)
    ql.stack_push(273)
    ql.stack_push(0)
    ql.stack_push(0x0401018)
    # force EIP to DialogFunc
    ql.reg.eip = lpDialogFunc


def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs)
    # NOP out some code
    ql.patch(0x004010B5, b'\x90\x90')
    ql.patch(0x004010CD, b'\x90\x90')
    ql.patch(0x0040110B, b'\x90\x90')
    ql.patch(0x00401112, b'\x90\x90')
    # hook at an address with a callback
    ql.hook_address(force_call_dialog_func, 0x00401016)
    ql.run()


if __name__ == "__main__":
    my_sandbox(["rootfs/x86_windows/bin/Easy_CrackMe.exe"], "rootfs/x86_windows")
  1. 模拟gdbserver

演示程序地址
https://github.com/mzfr/ctf-writeups/tree/master/xiomara-2019/Reversing/Elf_basic

1
2
3
4
5
6
from qiling import *

if __name__=='__main__':
    ql = Qiling(['examples/rootfs/x8664_linux/bin/AnokhREV'],'examples/rootfs/x8664_linux',output='default')
    ql.gdb = '0.0.0.0:9999'
    ql.run()

这个例子不知道为何跑起来之后gdb并没有阻塞

  1. qltool例子