# DBI with Qiling

DBI tool that can perform:

* **Emulation:** Executes binary code step by step, replacing instructions.
* **Binary instrumentation:** allows injection of user-specified code.
* **Cross-platform and cross-architectural analysis:** analyze one architecture or OS on another.
* **Sandboxing:** I/O is redirected to fake devices (files, sockets).
* **On raw binaries:** used to analyze blobs from binary devices or shellcode.

## Emulation

Syscalls and interrupts are implemented in Python.

* The program calls syscall/interrupt.
* Qiling invokes a handler in Python, which mimics a standard system.
* Implementations can be overwritten by the user.

Host OS is never called, and the result is provided by Qiling.

* Advantages:
  * Great control over the execution.
  * Great isolation.
* Disadvantages:
  * Not all calls are implemented.
  * Behavior mimics an ideal system and may deviate from reality.

## Instrumentation

Users can define hooks to trigger callbacks on an event.

* Because an emulator is translating code in real time, instruction-level hooks are possible.

Example:

* Code execution reaches a specific address.
* An address is written or read.
* A function is called or is leaving.
* An instruction is executed.

## Cross Platform and Cross Architecture

Binary code is emulated, allowing cross-architecture execution.

* Target architecture instructions are compiled into native instructions.

Because all syscalls and interrupts are emulated, the host platform can differ from the target platform.

* As Qiling is based on Unicorn (Qemu), a wide range of possibilities is available.

## Loading an Elf

<figure><img src="/files/28SDhWGDbwwM68xXBYDE" alt=""><figcaption></figcaption></figure>

Qiling has several loaders:

* MBR
* PE, ELF, MachO
* Unstructured binary (shellcode)

The loader will make code available to be **emulated** on secure **rootfs**.

* Calls to interrupts and syscalls are implemented in Python.

<figure><img src="/files/RZvKh95nXXLNGRUbOYdm" alt=""><figcaption></figcaption></figure>

## Overriding a library function

<figure><img src="/files/zXvfG4CGtX0FhBvlJU8J" alt=""><figcaption></figcaption></figure>

Functions can be overridden with custom implementations:

* Code can access arguments of basic types (Strings, Ints, Floats).
* Inside a function, other external functions can be called.
* An entire set of registries and memory can be manipulated.
* Return is provided to the calling function to be emulated on a secure rootfs.
* Calls to interrupts and syscalls are implemented in Python.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidjosearaujo.gitbook.io/notes-mcs/reverse-engineering/emulation-and-instrumentation/dbi-with-qiling.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.