website/blog/2019-03-11_introduction-to-qemu.md

# Introduction to QEMU for Hackers

One of the things that I've noticed in the infosec community is the tendency to
stick to the proprietary virtualization tools that are familiar.
People often are quick discount tools that they don't already know, so I have
written this blog post in an attempt to foster an interest in exploring other
virtualization options.  My hope is that, even if you don't come away wanting to
use QEMU in your CTF lab or malware analysis playpen, you will at least be more
open to looking into other forms of emulation and virtualization.

## The Case for QEMU
Many hacking event organizers spend ample time pointing and clicking through
their VirtualBox and VMware configuration wizards to setup their hacking labs.
What if I told you there was a better way that works on Linux, macOS, Windows,
and Xen?

### Enter QEMU
With [QEMU](https://www.qemu.org/) your VMs are defined as the arguments passed
to QEMU on its invocation at the command line.  For example, you might invoke a
VM as such (note that **`>`** is a
[$PS2 prompt](http://tldp.org/HOWTO/Bash-Prompt-HOWTO/x157.html)):

```
$ qemu-system-x86_64 -machine type=q35 --enable-kvm -cpu host -smp cpus=8 \
> -m 512M -netdev user,id=net0 -device e1000,netdev=net0 -hda dsk/vm-hdd.qcow
```

### Shell Scripts as VM Templates

Obviously this isn't a good long-term way to run your VM, but fear not, as there
is a better way!  All you have to do is save your VM arguments to an executable
shell script like the following:
```
#!/usr/bin/env bash

# image creation command:
# qemu-img create -f qcow2 -o preallocation=metadata dsk/vm-hdd.qcow 20G

qemu-system-x86_64 \
  -machine type=q35 \
  --enable-kvm \
  -cpu host \
  -smp cpus=8 \
  -m 512M
  -netdev user,id=net0 \
  -device e1000,netdev=net0 \
  -hda dsk/vm-hdd.qcow \
;
```

Don't forget to make your script executable!
```
$ chmod +x vm-foo
```

The nice thing about these scripts is that you can freely copy and edit them
with the standard UNIX command-line tools that you are used to, meaning that
you can use one VM script as a template for another virtual machine.  Making a
VM based on a template then becomes as simple as copying a bash script:
```
$ cp vm-foo vm-bar
```

For more information on creating QEMU disk images, see the
[qemu-img(1)](https://linux.die.net/man/1/qemu-img) man page.

### QEMU's Advanced Features
QEMU is a capable of emulating foreign CPU architectures, as well as working in
conjunction with a hypervisor to perform fully-accelerated, near
native-performance virtualization.  Some of the supported architectures for
full-system emulation are:

- Alpha
- Altera Nios II
- ARM
- Axis ETRAX CRIS
- HP PA-RISC
- i386/x86
- IBM System/390
- Microblaze (big and little endian)
- MIPS (big and little)
- MIPS64 (big and little)
- Motorola 68000
- Moxie
- OpenRISC 1k (IP core for FPGAs)
- PowerPC
- PowerPC 64 (big and little)
- RISC V
- RISC V 64
- SuperH SH-4
- SPARC and SPARC32 Plus
- SPARC64
- TILE-Gx
- Xtensa

Some of its other features include:

- Support for the Intel HAXM, Linux KVM, and Xen hypervisors
- PCIe passthrough
- attaching physical disks to VMs
- USB passthrough
- network block devices
- importing and converting disks from other formats
- command-line interactive monitor
- VNC support
- multiple virtual VGA adapters and video modes
- tap/tun support (bridging to actual network interfaces on the host)

*Stay tuned for more!*
Blog: Add old blog posts 2023-10-20 05:01:40 -05:00			`# Introduction to QEMU for Hackers`

			`One of the things that I've noticed in the infosec community is the tendency to`
			`stick to the proprietary virtualization tools that are familiar.`
			`People often are quick discount tools that they don't already know, so I have`
			`written this blog post in an attempt to foster an interest in exploring other`
			`virtualization options. My hope is that, even if you don't come away wanting to`
			`use QEMU in your CTF lab or malware analysis playpen, you will at least be more`
			`open to looking into other forms of emulation and virtualization.`

			`## The Case for QEMU`
			`Many hacking event organizers spend ample time pointing and clicking through`
			`their VirtualBox and VMware configuration wizards to setup their hacking labs.`
			`What if I told you there was a better way that works on Linux, macOS, Windows,`
			`and Xen?`

			`### Enter QEMU`
			`With [QEMU](https://www.qemu.org/) your VMs are defined as the arguments passed`
			`to QEMU on its invocation at the command line. For example, you might invoke a`
			VM as such (note that `>` is a
blog: intro to QEMU formatting fixes 2026-04-19 14:37:50 -05:00			`[$PS2 prompt](http://tldp.org/HOWTO/Bash-Prompt-HOWTO/x157.html)):`

Blog: Add old blog posts 2023-10-20 05:01:40 -05:00			```
			`$ qemu-system-x86_64 -machine type=q35 --enable-kvm -cpu host -smp cpus=8 \`
			`> -m 512M -netdev user,id=net0 -device e1000,netdev=net0 -hda dsk/vm-hdd.qcow`
			```

			`### Shell Scripts as VM Templates`

			`Obviously this isn't a good long-term way to run your VM, but fear not, as there`
			`is a better way! All you have to do is save your VM arguments to an executable`
			`shell script like the following:`
			```
			`#!/usr/bin/env bash`

			`# image creation command:`
			`# qemu-img create -f qcow2 -o preallocation=metadata dsk/vm-hdd.qcow 20G`

			`qemu-system-x86_64 \`
			`-machine type=q35 \`
			`--enable-kvm \`
			`-cpu host \`
			`-smp cpus=8 \`
			`-m 512M`
			`-netdev user,id=net0 \`
			`-device e1000,netdev=net0 \`
			`-hda dsk/vm-hdd.qcow \`
			`;`
			```

			`Don't forget to make your script executable!`
			```
			`$ chmod +x vm-foo`
			```

			`The nice thing about these scripts is that you can freely copy and edit them`
			`with the standard UNIX command-line tools that you are used to, meaning that`
			`you can use one VM script as a template for another virtual machine. Making a`
			`VM based on a template then becomes as simple as copying a bash script:`
			```
			`$ cp vm-foo vm-bar`
			```

			`For more information on creating QEMU disk images, see the`
			`[qemu-img(1)](https://linux.die.net/man/1/qemu-img) man page.`

			`### QEMU's Advanced Features`
			`QEMU is a capable of emulating foreign CPU architectures, as well as working in`
			`conjunction with a hypervisor to perform fully-accelerated, near`
			`native-performance virtualization. Some of the supported architectures for`
			`full-system emulation are:`

			`- Alpha`
			`- Altera Nios II`
			`- ARM`
			`- Axis ETRAX CRIS`
			`- HP PA-RISC`
			`- i386/x86`
			`- IBM System/390`
			`- Microblaze (big and little endian)`
			`- MIPS (big and little)`
			`- MIPS64 (big and little)`
			`- Motorola 68000`
			`- Moxie`
			`- OpenRISC 1k (IP core for FPGAs)`
			`- PowerPC`
			`- PowerPC 64 (big and little)`
			`- RISC V`
			`- RISC V 64`
			`- SuperH SH-4`
			`- SPARC and SPARC32 Plus`
			`- SPARC64`
			`- TILE-Gx`
			`- Xtensa`

			`Some of its other features include:`

			`- Support for the Intel HAXM, Linux KVM, and Xen hypervisors`
			`- PCIe passthrough`
			`- attaching physical disks to VMs`
			`- USB passthrough`
			`- network block devices`
			`- importing and converting disks from other formats`
			`- command-line interactive monitor`
			`- VNC support`
			`- multiple virtual VGA adapters and video modes`
			`- tap/tun support (bridging to actual network interfaces on the host)`

			`Stay tuned for more!`