Arion is a library that aims to emulate various executable formats (ELF, PE, Mach-O...) coming from different platforms (Linux, Windows, macOS...) and with different CPU architectures (x86, ARM, MIPS...).
Based on Unicorn and written in C++, it should allow fast emulation especially for fuzzing purposes.
Inspired by Qiling, Arion in its current form is not intended to replace this awesome Python library, but to complement it with higher performance.
This project is still in alpha development. It can be unstable and/or lead to undesired behaviors so you may want to deploy it in a containerized environment.
Arion currently implements the following features :
- Emulating Linux ELFs for x86, x86-64, ARM, ARM64
- Emulating more than 120 syscalls
- Fork handling
- Multithreading handling (unstable)
- Saving / restoring context
- Hooking the target with ~20 functions
- Memory reading / writing
- File system management
- Network sockets management
Installation
Download a release
Build the library with Docker
Performance comparison
How to use ?
Examples
Contributing
Development Mode
Check the Releases tab on the Github project and download the latest one.
- Clone the repository
git clone https://github.com/h311d1n3r/Arion.git && cd Arion. - Check the available Dockerfiles under
Arion/docker. - Build the docker image of your choice
./scripts/docker_build.sh {OS}{OS_VERSION} {BUILD_VERSION}. - You can build against Arion library from inside the docker or extract it on your host.
- Clone the repository
git clone https://github.com/h311d1n3r/Arion.git && cd Arion. - Initialize git dependencies :
git submodule update --init - Create the build directory
mkdir build && cd build. - Run CMake to configure the project
cmake ... - Run make to compile the project
make -j4. - Run make install to deploy the project
sudo make install.
Since Arion is entirely written in C++, it has a much lower execution time than Qiling because of its to-and-fro in the Python context.
The next two graphs have been realized with the same program, run in the same context with both Arion and Qiling.
In the first graph, the variable is the amount of syscalls executed by the target whereas in the second it is the amount of basic blocks hit, when all basic blocks are hooked.
A wiki and a documentation are to come. For now, you can rely on the examples and visit the headers in include directory to learn more about what you can do with Arion.
You can find examples inside the examples directory. These examples are by no means exhaustive, but they will teach you how to deal with Arion.
Feel free to contribute to the project by implementing new features on the dev branch.
Arion can be compiled with DEV option enabled (-DDEV=ON) to increase build speed.
This mode uses system libraries instead of building and embedding the ones of lib/.
It is highly recommended to use library versions on the exact same commits as lib/.