Sounds like a nice project, but the descriptions are a bit strange. First, it talks a bit about securing IoT, but then it goes on to say it supports emulating Windows, macOS, Linux, and FreeBSD? Second, on the comparisons page it lists a number of projects but seems to miss some of the most obvious competitors and instead compares itself to things that are related to binary emulation but not really relevant? For example, angr (disclaimer: I have worked with multiple people that contribute to and use the project heavily) does binary emulation as well (using Unicorn, no less; Nguyen Anh Quynh knows this because he gets contributions to the project, especially for the Python bindings, to keep angr working), has a number of loader backends, and has a bunch of fancy hooking and tracing features very similar to the ones mentioned here (among other things), all available through a Python API just like Qiling.

I would like to see a tool that combines "version control" and executable tracing, where you can take a snapshot of stack/heap and registers and allows you to move through each snapshot and see what changed, essentially allowing you to replay the execution instruction by instruction (with "proper" I/O result code/data simulation).

I know George Hotz was working on something like this before he got into the Comma AI thing and it really caught my eye, but I don't think there is anything out there that is "production ready" like say, IDA Pro or Ghidra or whatever.

Anyone know if such a tool exists? I imagine it would make mapping out vtables and such trivial.

Perhaps you're thinking of QIRA (https://qira.me)?

Yes - is there one for Windows by any chance?

Edit: This is the tool by George Hotz that I was referring to. I doubt it's really production ready given he likes to start and stop projects.

> I doubt it's really production ready given he likes to start and stop projects

A likely good strategy for success in startups is productizing projects started by George Hotz. :-P

Not that I know of. However, either Qiling or angr (which I mentioned in another comment) both have a fairly decent Python API, so while they are often used for binary emulation they are often not too hard to hook up in a way that might be useful to you.

How does this compare to angr?

Angr is a static analysis and symbolic execution framework. It contains many components. It's built around Valgrind's VEX IR and provides an API that allows for lifting binaries from various architectures to a common IL. Angr also provides libraries to aid in CFG recovery, concolic testing, and other program analysis techniques. Angr does not do software emulation and is used mostly for static analysis.

Qiling is almost entirely dynamic. Qiling provides an API that allows you to instrument and emulate binaries. It's an extra layer on top of Unicorn (a library that can emulate CPU instructions using QEMU). Qiling contains ELF/PE/etc loaders and kernel syscall emulation. Think of it as qemu-user but with a Python API allowing you to install hooks, set breakpoints, read/write to memory, etc...

I've had no trouble using angr on real binaries, including self-modifying binaries.

> [Qiling] is an extra layer on top of Unicorn (a library that can emulate CPU instructions using QEMU).

This is what is mostly confusing me -- angr has support for unicorn, so how is it different from angr's support of Unicorn?

Unicorn is a scriptable CPU emulator. What happens though when a program uses a system call? Qiling tries to fully emulate what the host (windows, linux, etc) should do. Emulating the systems an OS provides is not trivial. An OS provides networking, filesystem, loading a binary(ELF, PE, MachO) into memory, etc.

Using QEMU with full system emulation can do some of this, but you don't get the scriptable control and deep analysis capabilities of Unicorn.

angr, from what I gather, can be useful for targeting specific sections of code. If you've reversed a binary enough to know where to target, this is useful. For example, code such as as parsers which are typically complex and vulnerable or finding a specific input to reach a desired location (i.e. ctf challenges).

The problem qiling solves is that applications don't run in a vacuum, they are highly dependent on the OS they run on. Emulating each OS allows for dynamic analysis not possible with other frameworks. Some tools like Corellium provide great system emulation, but qiling has much better potential for analysis purposes.

The slides in the 'News' section of the page do good job of explaining in detail. https://www.qiling.io/docs/Qiling-NullCon2020.pdf

Certainly, angr is a very good framework.

My previous understanding is that angr uses unicorn for instruction emulation for symbolic execution. Although, I see they also have what they call a "simulation engine" that provides a similar interface to Qiling's and allows for setting breakpoints and poking around in memory. To your point, there is definitely overlap. Qiling is much more narrowly scoped, but I think Qiling has a better understanding of the OS. It can do syscall and I/O handling for Windows, Linux, and Mac binaries regardless of what host OS you are running.