Installation guide

Qiling Framework works with different operating system and not limit to any CPU architecture.

For this installation guide, Ubuntu desktop 18.04.3 LTS 64bit is the base example. Grab a copy of official Ubuntu ISO images from Ubuntu CD mirrors. Update and the system and also install pip3, git and cmake

sudo apt-get update
sudo apt-get upgrade
sudo apt install python3-pip git cmake

Once completed, clone a copy of Qiling Framework source from github and run setup to install it.

git clone https://github.com/qilingframework/qiling
cd qiling
sudo pip3 install -r requirements.txt
sudo python3 setup.py install 

Important note on Windows DLLs and registry

Due to distribution restriction, Qiling Framework will not bundle Microsoft Windows DLL files and registry. Please copy respective DLLs and registry from Microsoft Windows System, usually found in C:\Windows\system32 and place them in $rootfs/dlls

Refer to DLLX86.txt for Windows 32bit DLLs hashes and file version

Refer to DLLX8664.txt for Windows 64bit DLLs hashes and file version

To export Windows Registry from Windows

ntuser hive : C:\Users\Default\NTUSER.DAT 
reg save hklm\system SYSTEM
reg save hklm\security SECURITY
reg save hklm\software SOFTWARE
reg save hklm\SAM SAM

Installation notes on macOS >= 10.14

Keystone-engine compilation from py-pip fails (on Mojave at least) because i386 architecture is deprecated for macOS.

CMake Error at /usr/local/Cellar/cmake/3.15.4/share/cmake/Modules/CMakeTestCCompiler.cmake:60 (message):
  The C compiler

    "/Library/Developer/CommandLineTools/usr/bin/cc"

  is not able to compile a simple test program.

  It fails with the following output:

A temporary workaround is to install keystone-engine from source:

  • Remove keystone-engine>=0.9.1.post3 line from requirements.txt
  • Install keystone-engine Python binding from source:
    git clone https://github.com/keystone-engine/keystone
    cd keystone
    mkdir build
    cd build
    ../make-share.sh
    cd ../bindings/python
    sudo make install
    

Once completed workaround installation, run Qiling Framework setup.


Setting Qiling Framework docker container

If quick and easy way to deploy Qiling Framework is preferred, spin it with docker container.

Building Qiling Framework docker image

Building the Qiling Framework docker by running command below within source directory.

docker build -t qiling:1.0 .
Running Qiling Framework docker with a bind mount

Required DLLs can be bind-mounted to Qiling Framework container. Presuming DLLs are located in /analysis/win.

docker run -dt --name qiling \
 -v /analysis/win/x86dlls:/qiling/examples/rootfs/x86_windows/dlls \
 -v /analysis/win/x8664dlls:/qiling/examples/rootfs/x8664_windows/dlls \
 qiling:1.0
docker exec -it qiling bash