In this segment we will take a sample code from the how to and try to execute according to our own. In this test, we will try to perform an simple addition and see how it goes. The below tutorial will be a very basic entry into the qiling framework where we will perform a simple addition.

addition#

To perform the addition, following code will be executed onto the CPU.

mov eax, 0x1
mov ebx, 0x3
add eax, ebx

The above code will be used to see whether we can perform addition on the our emulated CPU. This code has been converted to raw code from https://defuse.ca/online-x86-assembler.htm#disassembly [1]. From the site we can see the raw hex code shows B801000000BB0300000001D8.

from qiling import Qiling
from qiling.const import QL_VERBOSE

shellcode = bytes.fromhex('''B801000000BB0300000001D8''')
ql = Qiling(code=shellcode, archtype='x86', ostype='Linux', verbose=QL_VERBOSE.DISASM)
ql.run()

We can now for simplicity run the code in they ipython3 or use python script to run the code. The full log has been provided below:

In [3]: from qiling import Qiling
   ...: from qiling.const import QL_VERBOSE
   ...: 
   ...: shellcode = bytes.fromhex('''B801000000BB0300000001D8''')
   ...: ql = Qiling(code=shellcode, archtype='x86', ostype='Linux', verbose=QL_VERBOSE.DISASM)
   ...: ql.run()
[+] 	Profile: default
[+] 	Mapping GDT at 0x30000 with limit 0x1000
[=] 	011ff000 [[shellcode_stack]    + 0x1ff000]  b8 01 00 00 00       mov                  eax, 1
[=] 	011ff005 [[shellcode_stack]    + 0x1ff005]  bb 03 00 00 00       mov                  ebx, 3
[=] 	011ff00a [[shellcode_stack]    + 0x1ff00a]  01 d8                add                  eax, ebx
[+] 	
[+] 	syscalls called
[+] 	------------------------
[+] 	
[+] 	strings ocurrences
[+] 	------------------------

In [4]: ql.arch.regs.eax
Out[4]: 4

In [5]: ql.arch.regs.ebx
Out[5]: 3

As we can see the qiling framework successfully executed the provided assembly bytes and then stored the result in the eaxregister as expected.

reference#

source : https://docs.qiling.io/en/latest/howto/