How to use the capstone.CS_MODE_32 function in capstone
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ww9210 / Linux_kernel_exploits / fuze / kernelrop / __init__.py View on Github 
def lookingForIretq(self):
opcodes = '48cf'
if self.c._Core__checksBeforeManipulations() is False:
return False
execsections = self.c._Core__binary.getExecSections()
arch = self.c._Core__binary.getArchMode()
for section in execsections:
#if section['name'] != '.text':
#continue
allRef = [m.start() for m in re.finditer(re.escape(opcodes.decode("hex")), section["opcodes"])]
for ref in allRef:
vaddr = self.c._Core__offset + section["vaddr"] + ref
rangeS = int(self.c._Core__options.range.split('-')[0], 16)
rangeE = int(self.c._Core__options.range.split('-')[1], 16)
if (rangeS == 0 and rangeE == 0) or (vaddr >= rangeS and vaddr <= rangeE):
print(("0x%08x" %(vaddr) if arch == CS_MODE_32 else "0x%016x" %(vaddr)) + " : %s" %(opcodes))
self.Iretq_gadget = vaddr
return
#s=self.k.get_section_by_name('.text')
#low_bound=s.header['sh_addr']
#high_bound=low_bound+s.header['sh_size']
#for _ in self.k.search('\x48\xcf'):
#if _ > low_bound and _ < high_bound:
#print 'Found iretq gadget at '+hex(_)
#self.Iretq_gadget=_
#break
returndef _initCapstone(self):
self.capstone = Cs(CS_ARCH_X86, CS_MODE_64) if self.disassembly.binary_info.bitness == 64 else Cs(CS_ARCH_X86, CS_MODE_32)def getProgramInfo(self):
import hashlib
fields = {
"File MD5": hashlib.md5(self.binary).hexdigest(),
"File Format": self.FILETYPE_NAME,
"Architecture": self.getArchName(),
"Architecture Mode": "32-bit" if self.bin_class == capstone.CS_MODE_32 else "64-bit",
"Entry Point": "0x{:x}".format(self.entry_point),
}
if self.filename != None:
fields["Filename"] = self.filename
max_length = max(len(x) + len(fields[x]) for x in fields) + 2
program_info = "#"*(max_length+12) + "\n"
for x in fields:
program_info += "###"
program_info += (" {:<%d} " % max_length).format(x + ": " + fields[x])
program_info += "###\n"
program_info += "#"*(max_length+12) + "\n"
return program_infobitness = 16 << segment.bitness# 16, 32, 64
procname = self.api.idaapi.get_inf_structure().procName.lower()
dis = None
if procname == "arm" and bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM)
elif procname == "arm" and bitness == 32:
if size == 2:
dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB)
else:
dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
elif procname in ['metapc', '8086', '80286r', '80286p', '80386r', '80386p','80486r', '80486p', '80586r', '80586p', '80686p', 'k62', 'p2', 'p3', 'athlon', 'p4', '8085']:
if bitness == 16:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_16)
elif bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif procname == "mipsb":
if bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_BIG_ENDIAN)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_BIG_ENDIAN)
elif procname == "mipsl":
if bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_LITTLE_ENDIAN)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_LITTLE_ENDIAN)
if dis is None:
raise NotImplementedError("unknown arch %s bit:%s inst_len:%d" % (procname, bitness, len(inst_buf)))
dis.detail = Truedef _initCapstone(self):
self.capstone = Cs(CS_ARCH_X86, CS_MODE_32)
if self.bitness == 64:
self.capstone = Cs(CS_ARCH_X86, CS_MODE_64)Returns:
An instance of the capstone disassembler.
Raises:
NotImplementedError: If the specified target isn't supported.
"""
if not HAVE_CAPSTONE:
raise NotImplementedError('pwnypack requires capstone to disassemble to AT&T and Intel syntax')
if target is None:
target = pwnypack.target.target
if target.arch == pwnypack.target.Target.Arch.x86:
if target.bits is pwnypack.target.Target.Bits.bits_32:
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
else:
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif target.arch == pwnypack.target.Target.Arch.arm:
mode = 0
if target.bits is pwnypack.target.Target.Bits.bits_32:
arch = capstone.CS_ARCH_ARM
if target.mode and pwnypack.target.Target.Mode.arm_thumb:
mode = capstone.CS_MODE_THUMB
else:
mode = capstone.CS_MODE_ARM
if target.mode and pwnypack.target.Target.Mode.arm_m_class:
mode |= capstone.CS_MODE_MCLASS
if target.mode and pwnypack.target.Target.Mode.arm_v8:def disassemble(self, offset, count = 128, layer_name = None, architecture = None):
"""Disassembles a number of instructions from the code at offset"""
remaining_data = self._read_data(offset, count = count, layer_name = layer_name)
if not has_capstone:
print("Capstone not available - please install it to use the disassemble command")
else:
if isinstance(self.context.layers[layer_name or self.current_layer], intel.Intel32e):
architecture = 'intel64'
elif isinstance(self.context.layers[layer_name or self.current_layer], intel.Intel):
architecture = 'intel'
disasm_types = {
'intel': capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32),
'intel64': capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64),
'arm': capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM),
'arm64': capstone.Cs(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM)
}
if architecture is not None:
for i in disasm_types[architecture].disasm(remaining_data, offset):
print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))def __init__(self, filename, raw_type, raw_base, raw_big_endian, database):
import capstone as CAPSTONE
arch_lookup = {
"x86": CAPSTONE.CS_ARCH_X86,
"x64": CAPSTONE.CS_ARCH_X86,
"ARM": CAPSTONE.CS_ARCH_ARM,
"MIPS32": CAPSTONE.CS_ARCH_MIPS,
"MIPS64": CAPSTONE.CS_ARCH_MIPS,
}
mode_lookup = {
"x86": CAPSTONE.CS_MODE_32,
"x64": CAPSTONE.CS_MODE_64,
"ARM": CAPSTONE.CS_ARCH_ARM,
"MIPS32": CAPSTONE.CS_MODE_MIPS32,
"MIPS64": CAPSTONE.CS_MODE_MIPS64,
}
word_size_lookup = {
"x86": 4,
"x64": 8,
"ARM": 4,
"MIPS32": 4,
"MIPS64": 8,
}
self.capstone_inst = {} # capstone instruction cache
self.db = databasedef decompile_until(self, input):
ssa.ssa_context_t.index = 0
if self.arch == 'x86':
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
dis = host.dis.available_disassemblers['capstone'].create(md, input)
elif self.arch == 'x86-64':
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
dis = host.dis.available_disassemblers['capstone'].create(md, input)
else:
raise RuntimeError('no such architecture: %s' % (self.arch, ))
dec = decompiler.decompiler_t(dis, 0)
dec.calling_convention = self.callconv
dec.step_until(self.step_until)
return decimport capstone
import any_capstone
dis = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
def PROCESSOR_ENTRY():
return any_capstone.Processor("x86_32", dis)
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const