QuarkslaB Dynamic binary Instrumentation (QBDI) is a modular, cross-platform and cross-architecture DBI framework. It aims to support Linux, macOS, Android, iOS and Windows operating systems running on x86, x86-64, ARM and AArch64 architectures. Information about what is a DBI framework and how QBDI works can be found in the user documentation introduction.
QBDI modularity means it doesn’t contain a preferred injection method and it is designed to be used in conjunction with an external injection tool. QBDI includes a tiny (
LD_PRELOAD based) Linux and macOS injector for dynamic executables (QBDIPreload), which acts as the foundation for our Python bindings (pyQBDI). QBDI is also fully integrated with Frida, a reference dynamic instrumentation toolkit, allowing anybody to use their combined powers.
x86-64 support is mature (even if SIMD memory access are not yet reported). ARM architecture is a work in progress but already sufficient to execute simple CLI program like ls or cat. x86 and AArch64 are planned, but currently unsupported.
A current limitation is that QBDI doesn’t handle signals, multithreading (it doesn’t deal with new threads creation) and C++ exception mechanisms. However, those system-dependent features will probably not be part of the core library (KISS), and should be integrated as a new layer (to be determined how).
Debuggers are a popular approach to analyze the execution of a binary. While those tools are convenient, they are also quite slow. This performance problem is imperceptible to human users but really takes its toll on automated tools trying to step through a complete program. The only way to get rid of the problem is to place the tool inside the binary being analyzed and this is what DBI does: injecting instrumentation code inside the binary at runtime.
To build this project the following dependencies are needed on your system: cmake, make (for Linux and macOS), ninja (for Android), Visual Studio (for Windows) and a C++11 toolchain for the platform of your choice.
The compilation is a two-step process:
- A local binary distribution of the dependencies is built.
- QBDI is built using those binaries.
The current dependencies which need to be built are LLVM and Google Test. This local built of LLVM is required because QBDI uses private APIs not exported by regular LLVM installations and because our code is only compatible with a specific version of those APIs. This first step is cached and only needs to be run once, subsequent builds only need to repeat the second step.
QBDI build system relies on CMake and requires to pass build configuration flags. To help with this step we provide shell scripts for common build configurations which follow the naming pattern
config-OS-ARCH.sh. Modifying these scripts is necessary if you want to compile in debug or cross compile QBDI.
Create a new directory at the root of the source tree, and execute the linux configuration script:
mkdir build cd build ../cmake/config-linux-X86_64.sh
If the build script warns you of missing dependencies for your platform (in the case of a first compilation), or if you want to rebuild them, execute the following commands:
make llvm make gtest
This will rebuild the binary distribution of those dependencies for your platform. You can then relaunch the configuration script from above and compile:
../cmake/config-linux-X86_64.sh make -j4