qltool CLI
Command-line tool for quick binary and shellcode emulation.
Commands
| Command | Description |
|---|
run | Emulate a program binary |
code | Execute shellcode |
qltui | Terminal UI for qltool |
examples | Print usage examples |
run Options
| Option | Short | Argument | Description |
|---|
--filename | -f | filename | Binary to emulate |
--rootfs | | dirname | Emulation root directory |
--args | | … | Program command line arguments |
- If
--filename omitted: last argument is treated as binary - If
--args omitted: all trailing arguments are treated as program args
code Options
| Option | Short | Argument | Description |
|---|
--filename | -f | filename | Input file |
--input | -i | hex | Hex string input (when --format hex) |
--format | | asm/hex/bin | Input format |
--arch | | x86, x8664, arm, arm_thumb, arm64, mips, a8086, evm | Target architecture |
--endian | | little/big | Endianness (default: little) |
--os | | linux, freebsd, macos, windows, uefi, dos, evm | Target OS |
When --format hex: reads from --input first, falls back to --filename.
Common Options
| Option | Short | Argument | Description |
|---|
--verbose | -v | off/default/debug/disasm/dump | Logging verbosity |
--env | | filename | Pickle file or Python dict string for environment |
--gdb | -g | [server:port] | Enable GDB server |
--qdb | | | Attach Qdb at entry point (MIPS/ARM thumb only) |
--rr | | | Enable record-and-replay (requires --qdb) |
--profile | | filename | Profile file path |
--no-console | | | Suppress program stdout |
--filter | -e | regexp | Filter log output by regex |
--log-file | | filename | Write log to file |
--log-plain | | | No color in log output |
--root | | | Enable sudo-required mode |
--debug-stop | | | Stop on first error (requires debug/dump verbose) |
--multithread | -m | | Multi-threaded emulation |
--timeout | | microseconds | Emulation timeout (1000000μs = 1s) |
--coverage-file | -c | filename | Coverage output file |
--coverage-format | | drcov/drcov_exact | Coverage file format |
--json | | | Emit JSON emulation report |
Examples
1# Shellcode from hex file
2./qltool code --os linux --arch arm --format hex -f examples/shellcodes/linarm32_tcp_reverse_shell.hex
3
4# Shellcode from assembly file
5./qltool code --os linux --arch x86 --format asm -f examples/shellcodes/lin32_execve.asm
6
7# Binary emulation
8./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --rootfs examples/rootfs/x8664_linux/
9
10# MIPS binary
11./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux
12
13# UEFI binary with environment pickle
14./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --env examples/rootfs/x8664_efi/rom2_nvar.pickel
15
16# GDB server
17./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
18
19# Binary with arguments
20./qltool run -f examples/rootfs/x8664_linux/bin/x8664_args --rootfs examples/rootfs/x8664_linux --args test1 test2 test3
21
22# Disassembly output
23./qltool run -f examples/rootfs/mips32el_linux/bin/mips32el_hello --rootfs examples/rootfs/mips32el_linux --verbose disasm
24
25# With LD_PRELOAD
26./qltool run -f examples/rootfs/x8664_linux/bin/tester --rootfs examples/rootfs/x8664_linux --env '{"LD_PRELOAD":"hijack.so"}' --verbose debug
27
28# Launch TUI
29./qltool qltui