How to use the capstone.CS_ARCH_X86 function in capstone
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
iGio90 / Dwarf / lib / emulator.py View on Github 
def setup_x64(self):
self.uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_64)
self.cs = Cs(CS_ARCH_X86, CS_MODE_64)def disasm(machine_code,addr=0,arch=None):
import capstone
machine_code=Latin1_encode(machine_code)
if arch is None:
arch=context.arch
if arch=='i386':
disasmer=capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif arch=="amd64":
disasmer=capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
l=""
for i in disasmer.disasm(machine_code,addr):
l+="{:8s} {};\n".format(i.mnemonic,i.op_str)
return Latin1_decode(Latin1_encode(l.strip('\n')))def __init__(self, mode):
super(Capstone, self).__init__(mode)
if self.mode == "I386":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif self.mode == "AMD64":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif self.mode == "MIPS":
self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
capstone.CS_MODE_BIG_ENDIAN)
else:
raise NotImplementedError(
"No disassembler available for this arch.")import utils
bits = 64
regs = [
"rax", "rcx", "rdx", "rbx",
"rsp", "rbp", "rsi", "rdi",
"r8" , "r9" , "r10", "r11",
"r12", "r13", "r14", "r15",
"rip"
]
unicorn_arch = unicorn.UC_ARCH_X86
unicorn_mode = unicorn.UC_MODE_64
capstone_arch = capstone.CS_ARCH_X86
capstone_mode = capstone.CS_MODE_64
unicorn_regs = {}
capstone_regs = {}
for reg in regs:
unicorn_regs[reg] = getattr(unicorn.x86_const, "UC_X86_REG_" + reg.upper())
capstone_regs[reg] = getattr(capstone.x86_const, "X86_REG_" + reg.upper())
instruction_pointer = "rip"
stack_pointer = "rsp"
ip = instruction_pointer
sp = stack_pointer
address_mask = 0x0000007fffffffffdef disassemble(self, offset, count = 128, layer_name = None, architecture = None):
"""Disassembles a number of instructions from the code at offset"""
remaining_data = self._read_data(offset, count = count, layer_name = layer_name)
if not has_capstone:
print("Capstone not available - please install it to use the disassemble command")
else:
if isinstance(self.context.layers[layer_name or self.current_layer], intel.Intel32e):
architecture = 'intel64'
elif isinstance(self.context.layers[layer_name or self.current_layer], intel.Intel):
architecture = 'intel'
disasm_types = {
'intel': capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32),
'intel64': capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64),
'arm': capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM),
'arm64': capstone.Cs(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM)
}
if architecture is not None:
for i in disasm_types[architecture].disasm(remaining_data, offset):
print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))def generate_code_file(fd, key, template="win32", show_disass=False):
sc = get_shellcode_from_stdin()
echo(fd, """/**\n * Vigenere encoding shellcode with key '%x'\n""" % (key,))
echo(fd, """ * Generated by %s\n**/\n\n""" % (sys.argv[0],))
echo(fd, HEADERS_C_CODE)
echo(fd, "unsigned char key = %d;\n" % key)
if show_disass:
echo(fd, "unsigned char decoded_shellcode[]={\n")
eng = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
for insn in eng.disasm(''.join(sc), 0x1000):
echo(fd, """\t%-60s ;; %s\t%s\n""" % ('"'+''.join(["\\x%02x" % i for i in insn.bytes])+'"' , insn.mnemonic, insn.op_str))
echo(fd, "};\n\n")
echo(fd, 'unsigned char encoded_shellcode[]=\n')
echo(fd, '"')
i = 1
for c in sc:
a = ord(c) ^ key
echo(fd, "\\x%.2x" % a)
if i % 15 == 0:
echo(fd, '"\n')
echo(fd, '"')
i += 1
key = (key + 1)%256
echo(fd, '";\n')raise NotImplementedError("Abstract class")
def call(self, target, *args, **kwargs):
raise NotImplementedError("Abstract class")
class X86Assembler(Assembler):
csmode = (capstone.CS_ARCH_X86, capstone.CS_MODE_32)
ksmode = (keystone.KS_ARCH_X86, keystone.KS_MODE_32)
def jmp(self, target, *args, **kwargs):
return self.asm("jmp {}".format(target), *args, **kwargs)
def call(self, target, *args, **kwargs):
return self.asm("call {}".format(target), *args, **kwargs)
class X64Assembler(X86Assembler):
csmode = (capstone.CS_ARCH_X86, capstone.CS_MODE_64)
ksmode = (keystone.KS_ARCH_X86, keystone.KS_MODE_64)
class ARMAssembler(Assembler):
csmode = (capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
ksmode = (keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM)
def assembler(arch='x86'):
asmdict = {
'x86': X86Assembler,
'amd64': X64Assembler,
'arm': ARMAssembler
}
if arch in asmdict:
return asmdict[arch]()
raise NotImplementedError("Support for arch {} is not implemented atm".format(arch))def get_arch_info():
info = idaapi.get_inf_structure()
proc = info.procName.lower()
bits = get_inf_structure_bitness(info)
instruction_set = None
instruction_mode = None
if proc == 'metapc':
instruction_set = CS_ARCH_X86
if bits == 16:
instruction_mode = CS_MODE_16
elif bits == 32:
instruction_mode = CS_MODE_32
elif bits == 64:
instruction_mode = CS_MODE_64
return instruction_set, instruction_modedef disasm(data, bitness = 64, vma = 0):
"""disasm(data, bitness = 64, vma = 0) dissas the data at vma"""
cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64 if bitness == 64 else capstone.CS_MODE_32)
dis = ''
for i in cs.disasm(data, vma):
dis += "%x:\t%s\t%s\n" %(i.address, i.mnemonic, i.op_str)
return dis
except ImportError:
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const