Closed zhao1xz closed 6 months ago
elicn
commented
6 months ago Well, Qiling is built on top of Unicorn, so this is really a Unicorn question. That said, I don't see how one can parallel a program emulation of a program that was not necessarily designed to be multi-threaded. Normal program have well-defined deterministic flow. How can you emulate a piece of program that relies on initialization or calculations done on another part..?
zhao1xz
commented
6 months ago My program is special, because it has a shell in the exe, I want to analyze its text section, then it will definitely jump to the corresponding shell section. I simulate the result by calling the call of the shell section. Setting up the right environment is enough. For example, I've identified 5000 functions that are encrypted. Jumping to the encrypted shell, I want to divide the 5000 functions into 10 groups and calculate the results simultaneously. I need to use 10 threads to do this. Here's what I'm thinking.
zhao1xz
commented
6 months ago But it's not very effective. It took two hours before, now it takes an hour and a half.
wtdcode
commented
6 months ago Most parts running slow is the usermode emulation by Qiling, which is hindered by python GIL so you need multiprocess to make it really faster.
Note unicorn itself drops GIL when doing emulation.
elicn
commented
6 months ago Start by removing the hook_code for live disassembled output. It will dramatically improve the run time.
zhao1xz
commented
6 months ago Thank you very much, I used mutiprocessing for my purpose.
Can I use threads to process the file execution of the exe executable in chunks, because a single thread is too slow? Currently I'm in the main thread and it takes about 2 hours to process a 50M program, of course this is due to py, I'd like to ask if there is any other way to improve its processing efficiency.