Reverse Engineering

DBI with Qiling

DBI tool that can perform:

  • Emulation: Executes binary code step by step, replacing instructions.

  • Binary instrumentation: allows injection of user-specified code.

  • Cross-platform and cross-architectural analysis: analyze one architecture or OS on another.

  • Sandboxing: I/O is redirected to fake devices (files, sockets).

  • On raw binaries: used to analyze blobs from binary devices or shellcode.

Emulation

Syscalls and interrupts are implemented in Python.

  • The program calls syscall/interrupt.

  • Qiling invokes a handler in Python, which mimics a standard system.

  • Implementations can be overwritten by the user.

Host OS is never called, and the result is provided by Qiling.

  • Advantages:

    • Great control over the execution.

    • Great isolation.

  • Disadvantages:

    • Not all calls are implemented.

    • Behavior mimics an ideal system and may deviate from reality.

Instrumentation

Users can define hooks to trigger callbacks on an event.

  • Because an emulator is translating code in real time, instruction-level hooks are possible.

Example:

  • Code execution reaches a specific address.

  • An address is written or read.

  • A function is called or is leaving.

  • An instruction is executed.

Cross Platform and Cross Architecture

Binary code is emulated, allowing cross-architecture execution.

  • Target architecture instructions are compiled into native instructions.

Because all syscalls and interrupts are emulated, the host platform can differ from the target platform.

  • As Qiling is based on Unicorn (Qemu), a wide range of possibilities is available.

Loading an Elf

Qiling has several loaders:

  • MBR

  • PE, ELF, MachO

  • Unstructured binary (shellcode)

The loader will make code available to be emulated on secure rootfs.

  • Calls to interrupts and syscalls are implemented in Python.

Overriding a library function

Functions can be overridden with custom implementations:

  • Code can access arguments of basic types (Strings, Ints, Floats).

  • Inside a function, other external functions can be called.

  • An entire set of registries and memory can be manipulated.

  • Return is provided to the calling function to be emulated on a secure rootfs.

  • Calls to interrupts and syscalls are implemented in Python.

PreviousDynamic Binary Instrumentation (DBI)NextObfuscation Techniques

Last updated