Easy to use C/C++ APIs
QuarkslaB Dynamic binary Instrumentation (QBDI) is a modular, cross-platform and cross-architecture DBI framework. It aims to support Linux, macOS, Android, iOS and Windows operating systems running on x86, x86-64, ARM and AArch64 architectures.
Debuggers are a popular approach to analyze the execution of a binary. While those tools are convenient, they are also quite slow. This performance problem is imperceptible to human users but really takes its toll on automated tools trying to step through a complete program. The only way to get rid of the problem is to place the tool inside the binary being analyzed and this is what DBI does: injecting instrumentation code inside the binary at runtime.
Existing DBI framework were designed more than 15 years ago, focusing on features and platforms that made sense at the time. Mobile platform support is often unstable or missing and instrumentation features are either simplistic or buried in low-level details. QBDI attempts to retain the interesting features of those frameworks while avoiding their pitfalls and bringing new designs and ideas to the table.
Instrumentation tools based on QBDI are compiled as dynamic libraries, that can be loaded in target process using any injection tools or techniques.
For this purpose, a generic library allowing loader based injections, QBDIPreload, is provided (currently supporting Linux and macOS).
Modularity stand for easy integration everywhere. pyQBDI brings together QBDIPreload and Python, permitting flexible and hassle-free instrumentation. QBDI is also fully integrated with Frida, a reference dynamic instrumentation toolkit, allowing anybody to use their combined powers in order to create custom reverse engineering tools.
Easy to use C/C++ APIs
Simple yet powerful injector
Full featured Frida bindings
Fun and flexible Python bindings
x86-64 and x86 supports are mature (even if SIMD memory access are not yet reported). ARM architecture is a work in progress but already sufficient to execute simple CLI program like ls or cat. Thumb/Thumb-2 and AArch64 are under testing and planned for a future release.
A current limitation is that QBDI doesn’t handle signals, multithreading (it doesn't deal with new threads creation) and C++ exception mechanisms.
However, those system-dependent features will probably not be part of the core library (KISS), and should be integrated as a new layer (to be determined how).
|CPU||Operating Systems||Execution||Memory Access Information|
|x86-64||Linux, macOS, Windows||Supported||Partial (only non SIMD)|
|x86||Linux, macOS, Windows||Supported||Partial (only non SIMD)|
|ARM||Linux, Android, iOS||Partial. Thumb/Thumb2 are under testing||Under testing|
|AArch64||Linux, Android||Under testing||Under testing|