pythonreportqiling

Qiling Emulation: Save called APIs info and their params

I am new to Qiling and it is a great tool, the information I need is being printed in logs, but I am unable to find any method to access that information. I need the functions called by a PE during emulation and their params too. Example logs

[=] RegOpenKeyW(hKey = "HKEY_CURRENT_USER", lpSubKey = "Software",phkResult = 0xffffcfd0) = 0x0 [=]
lstrlenW(lpString = "123123") = 0x6 [=]
RegSetValueExW(hKey = "HKEY_CURRENT_USER\Software", lpValueName = "TEST_KEY", Reserved = 0, dwType = 0x1, lpData = 0x40215c, cbData = 0xe) = 0x0 [=]
lstrlenW(lpString = "2333333") = 0x7 [=]
RegSetValueExW(hKey = "HKEY_CURRENT_USER\Software", lpValueName = "TEST_KEY_2", Reserved = 0, dwType = 0x1, lpData = 0x402180, cbData = 0x10) = 0x0 [=]
RegDeleteValueW(hKey ="HKEY_CURRENT_USER\Software", lpValueName = "TEST_KEY") = 0x0 [=]
exit(status = 0) I get the required function calls RegOpenKeyW and their pramams i.e hKey in logs. My question is that is there any method that can give me all this information in a defined json method, as parsing this text will be difficult and I don't want to make a parser if there is some method defined for this. My code is

import os
import argparse
from qiling import *

def main(path : str, rootfs : str):
    qil = Qiling(path, rootfs)
    qil.run()
    print("[+] Successfully emulated the binary.")

if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='DARTS Emulator')
    parser.add_argument('input_file', help="Input binary file.")
    parser.add_argument('-r', '--rootfs', help="Qiling RootFS path")
    args = vars(parser.parse_args())


    qiling_rootfs = args['rootfs']

    if not qiling_rootfs:
        qiling_rootfs = os.path.join(os.getcwd(), "examples", "rootfs", "x86_windows")

    bin_file = args['input_file']

    print(f">> ROOTFS      : {qiling_rootfs}")
    print(f">> Binary      : {bin_file}")

    main([bin_file], qiling_rootfs)

I have tried report.generate_report(qil) method but it doesn't give necessary info

Solution

  • All OS instances have a stats object that logs this type of information; specifically Windows has a stats object of type QlWinStats. The summary is printed by default once emulation ends and verbosity is set to DEBUG.

    You can always print it yourself with:

    for entry in ql.os.stats.summary():
    print(entry)

    or export everything as JSON simply enough by accessing the stats members directly.
    Credit: https://github.com/qilingframework/qiling/issues/1605#issuecomment-3616261605