search

qilingframework / qiling

A True Instrumentable Binary Emulation Framework
https://qiling.io
GNU General Public License v2.0
5.14k stars 744 forks source link

Possibility to execute from memory snapshot #375

Closed shakamd closed 4 years ago

shakamd commented 4 years ago

Thank you for the great project!

I am investigating the possibility of resuming process execution in qiling given an intermediate memory context (dump of all memory pages + registers) from a live system. There is a lot of code here that can handle the required OS primitives (i.e. I/O, syscalls, tls) and I was wondering if you had any tips on how it could be reused to allow a process to continue executing from a context dump. More specifically, are there any items required that cannot be retrieved from the live system first and given to qiling (e.g. getting necessary info to setup GDT) to make this possible?

xwings commented 4 years ago

Its trick. We can surely resuming from Qiling process. But from a live system its gonna tricky. You need to at least fufill these 3 things

  1. CPU Context
  2. MEM
  3. Register

Technically if you can convert to Qiling Format, then its possible.

xwings commented 4 years ago

we got it working. so case close

https://docs.qiling.io/en/latest/snapshot/