explaingit

qilingframework/qiling

5,919PythonAudience · researcherComplexity · 4/5LicenseSetup · hard

TLDR

Qiling is a Python framework that runs Windows, Android, and embedded firmware binaries on any platform by emulating their OS environment, with hooks for watching or changing program behavior at runtime for security research.

Mindmap

mindmap
  root((Qiling))
    What it does
      Emulates binaries
      Mimics OS environments
      Runtime instrumentation
    Supported platforms
      Windows
      Android
      Embedded firmware
      Linux BSD UEFI
    Tech stack
      Python
      Unicorn Engine
    Use cases
      Malware analysis
      Firmware research
      Binary patching
      Custom analysis tools
    Audience
      Security researchers
      Reverse engineers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run a Windows binary on Linux without a VM and hook its system calls to log every file or network operation it performs

USE CASE 2

Analyze router firmware built for an ARM chip on an x86 machine by emulating its full OS execution environment

USE CASE 3

Intercept and patch a binary's behavior at runtime using Python hooks without modifying the original file

USE CASE 4

Build a custom automated analysis tool for unknown binaries by writing Python scripts on top of Qiling's instrumentation API

Tech stack

PythonUnicorn Engine

Getting it running

Difficulty · hard Time to first run · 1h+

Requires installing Unicorn Engine and the OS-specific library files for each target environment you want to emulate, which varies by platform.

Open source under the GNU GPL, you can use and modify it freely, but any software you distribute that includes it must also be released under GPL.

In plain English

Qiling is a framework that can run executable programs from one operating system or chip architecture on a completely different one, without needing the original environment. You can take a Windows program, an Android binary, or router firmware built for an ARM chip and run it on a Linux machine with an Intel processor. The framework understands the file formats those programs use, mimics the operating system functions they call, and handles how they load supporting libraries, so the program behaves as if it were running on its native system. Beyond basic execution, Qiling is designed as a tool for security research and analysis. It lets you insert hooks into a running program at the level of individual CPU instructions, memory reads and writes, system calls, or specific code addresses. This means you can watch exactly what a program does at each step, modify its behavior on the fly, or patch code without changing the original file. The README shows an example of using Qiling to intercept a Windows crackme program and force it to display its success dialog regardless of what password the user typed, all from a short Python script. The project is written in Python and is intended to serve as a foundation for building your own custom analysis tools rather than just being a standalone application. It supports Windows, macOS, Linux, Android, BSD, UEFI, DOS, and more, across processor architectures including x86, ARM, MIPS, RISC-V, and PowerPC. A built-in debugger with reverse debugging support is also included. Qiling is built on top of the Unicorn Engine, which handles the low-level CPU instruction emulation. The key distinction is that Unicorn only emulates raw instructions with no knowledge of operating systems, while Qiling adds a full understanding of OS concepts on top of that. It is also more capable than QEMU user mode in that it works cross-platform (not just cross-architecture) and supports dynamic instrumentation and runtime patching. The project is open-source and distributed under the GNU General Public License.

Copy-paste prompts

Prompt 1
Using Qiling, write a Python script that loads a Windows PE executable and hooks all file-open system calls to log every filename it accesses
Prompt 2
How do I use Qiling to emulate ARM router firmware on an x86 Linux machine and intercept its network socket calls?
Prompt 3
Using Qiling's memory hook API, write a script that patches a binary at runtime to always return true from a license-check function without touching the file
Prompt 4
How do I use Qiling's built-in debugger to step through a MIPS binary and inspect register values at each instruction?
Open on GitHub → Explain another repo

← qilingframework on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.