← All stories

Quarkslab

QBDI vs TritonDSE against a VM: who will be the fastest?

Laurent Laubin · 2026-03-30 · Read original ↗

ATT&CK techniques detected

6 predictions

T1055.001Dynamic-link Library Injection

92%

“jdhack _ level4 _ after _ windowprompt. dump " ) config = config ( workspace = " ws ", workspace _ reset = true ) seed = seed ( compositedata ( variables = { " flag " : b " abcdefghijklmnopqrstuvwxyz " } ) ) executor = symbolicexecutor ( config, seed ) executor. load ( p ) # we s…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

90%

“pyqbdi import ctypes def load _ lib ( ) : # the lib is importing various function from the main binary, # so we just create a fake lib doing nothing except exporting the symbol, to make the loader happy... zefakelib = ctypes. cdll ( ". / fake - jdhack. so ", mode = ctypes. rtld _…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1056.001Keylogging

57%

“data [ ' fakelib ' ]. window _ prompt, ctypes. c _ void _ p ). value hooked _ window _ msg _ adr = ctypes. cast ( cb _ data [ ' fakelib ' ]. window _ msg, ctypes. c _ void _ p ). value vm. addcodeaddrcb ( hooked _ window _ msg _ adr, pyqbdi. preinst, hook _ window _ msg, cb _ dat…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1056.004Credential API Hooking

48%

“data [ ' fakelib ' ]. window _ prompt, ctypes. c _ void _ p ). value hooked _ window _ msg _ adr = ctypes. cast ( cb _ data [ ' fakelib ' ]. window _ msg, ctypes. c _ void _ p ). value vm. addcodeaddrcb ( hooked _ window _ msg _ adr, pyqbdi. preinst, hook _ window _ msg, cb _ dat…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1055.001Dynamic-link Library Injection

35%

“. > > > ctypes. cdll ( ". / fake - jdhack - minimalist. so ", mode = ctypes. rtld _ global ) < cdll '. / fake - jdhack - minimalist. so ', handle 55c360edf410 at 0x7fb2de8be660 > > > > ctypes. cdll. loadlibrary ( ". / level _ 4. so " ) < cdll '. / level _ 4. so ', handle 55c360ee…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1056.004Credential API Hooking

30%

“is at baseaddress + 0xc6be. func _ ptr = cb _ data [ ' baseadr _ level ' ] + 0xc6be # create a qbdi vm vm = pyqbdi. vm ( ) # allocate a stack for the qbdi vm state = vm. getgprstate ( ) stack = pyqbdi. allocatevirtualstack ( state, 0x1000000 ) print ( f " [ * * ] library loaded a…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

In this blog, we present how QBDI and TritonDSE can be used to attack a complex C++ binary implementing a VM.