geohot
Switching from QEMU to Unicorn-Engine
I noticed that qira is using a hacked/patched version of QEMU to implement its tracing functionality, which sounds annoying to maintain.
Has anyone looked into Unicorn Engine? It was released last year, and it's based on the CPU emulation component of QEMU, but is designed specifically for what qira does: running/tracing arbitrary machine code. It's also got Python bindings!
It has a lot of interesting features, targeted at binary analysis: http://www.unicorn-engine.org/docs/beyond_qemu.html
Would it make sense to switch over to this? (I haven't examined qira's codebase in any depth yet.)
We have some people at CMU who expressed interest in this, and I think geohot was doing a version of QIRA using Unicorn at DEFCON CTF. Having a callback on every executed instruction is more expensive than the already expensive processing we do now, but could yield some nice benefits.
@epitron Could I ask question about unicorn? I briefly browse the document of unicorn. Unicorn seems only have ability of CPU emulation. Not the ability to execute the program and generate the trace. If I am wrong, please correct me. Thank you.
@bananaappletw
Unicorn is CPU Emulation so you can use the virtual execution and generate traces and that's the part needed/used from QEMU. Unicorn is really nice and have pretty cool support. and have a lot more functionalities QEMU is not capable of. like RAW code virtualisation if i still remember correctly.
QEMU is hardware and software (BIOS) virtualisation which is not all needed because we don't use the whole virtualisation process of it. we only emulate cpu execution or Virtual Execute binaries on it.
Conclusion, both are nice and allow us to do what we need, and each one has pros and cons. but for QIRA i prefer Unicorn because of it's capabilities.
