How to use the capstone.CS_MODE_64 function in capstone

To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github Cisco-Talos / pyrebox / volatility / volatility / framework / plugins / windows / handles.py View on Github external
return None

            virtual_layer_name = self.config['primary']
            kvo = self.context.layers[virtual_layer_name].config['kernel_virtual_offset']
            ntkrnlmp = self.context.module(self.config["nt_symbols"], layer_name = virtual_layer_name, offset = kvo)

            try:
                func_addr = ntkrnlmp.get_symbol("ObpCaptureHandleInformationEx").address
            except exceptions.SymbolError:
                return None

            data = self.context.layers.read(virtual_layer_name, kvo + func_addr, 0x200)
            if data == None:
                return None

            md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)

            for (address, size, mnemonic, op_str) in md.disasm_lite(data, kvo + func_addr):
                # print("{} {} {} {}".format(address, size, mnemonic, op_str))

                if mnemonic.startswith("sar"):
                    # if we don't want to parse op strings, we can disasm the
                    # single sar instruction again, but we use disasm_lite for speed
                    self._sar_value = int(op_str.split(",")[1].strip(), 16)
                    break

        return self._sar_value
github lucamassarelli / yarasafe / ida-pro-plugin / SAFE_plugin.py View on Github external
def run(self, arg=0):
        try:
            addr = idaapi.get_screen_ea()
            # print("Addr: " + str(addr))

            fcn_name = idc.GetFunctionName(addr)
            print("----------------------------------------------------------------------------------------------------------")
            print("SAFE Signature For Function: " + fcn_name)

            info = idaapi.get_inf_structure()
            
            if info.procName == 'metapc':
                arch = capstone.CS_ARCH_X86
            
            if info.is_64bit():
                mode = capstone.CS_MODE_64
            elif info.is_32bit():
                mode = capstone.CS_MODE_32
                
            

            start = idc.get_func_attr(addr, idc.FUNCATTR_START)
            # print("Start: " + str(start))

            obj = disassemble_func(start)
            function = list_functions_to_disassembled([obj], arch, mode)[0]

            prepappend = 'X_'
            inst = [prepappend + x for x in function[1]]

            converter = InstructionsConverter(os.path.join(idc.GetIdaDirectory(), "plugins", "word2id.json"))
            normalizer = FunctionNormalizer(150)
github EiNSTeiN- / decompiler / src / objdump-decompiler.py View on Github external
def decompile_until(self, input):
    ssa.ssa_context_t.index = 0

    if self.arch == 'x86':
      md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
      dis = host.dis.available_disassemblers['capstone'].create(md, input)
    elif self.arch == 'x86-64':
      md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
      dis = host.dis.available_disassemblers['capstone'].create(md, input)
    else:
      raise RuntimeError('no such architecture: %s' % (self.arch, ))

    dec = decompiler.decompiler_t(dis, 0)
    dec.calling_convention = self.callconv
    dec.step_until(self.step_until)
    return dec
github carbonblack / tic / mpesm / mpesm.py View on Github external
entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]
                elif entrypoint_type == 'old':
                    found_section = False
                    for sec in all_sections:
                        if entrypoint_address >= sec['addr'] and entrypoint_address < (sec['addr'] + sec['size']):
                            found_section = True
                            entrypoint_address = (entrypoint_address - sec['addr']) + sec['offset']
                            break

                    if found_section:
                        entrypoint_offset = offset + entrypoint_address
                        entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]

                mode = CS_MODE_32
                if magic == 0xcffaedfe:
                    mode = CS_MODE_64

                md = Cs(CS_ARCH_X86, mode)
                match = []
                if entrypoint_data:
                    try:
                        for (address, size, mnemonic, op_str) in md.disasm_lite(entrypoint_data, 0x1000):
                            match.append(mnemonic.encode('utf-8').strip())
                    except Exception as e:
                        print str(e)

                    for s in signatures:
                        m = match
                        sig = signatures[s]['mnemonics']
                        if m and m[0] == sig[0] or THRESHOLD < .7:
                            additional_info = []
                            if 'num_mnemonics' in signatures[s]:
github google / rekall / rekall / plugins / windows / disassembler.py View on Github external
def __init__(self, mode):
        super(Capstone, self).__init__(mode)

        if self.mode == "I386":
            self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
        elif self.mode == "AMD64":
            self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
        elif self.mode == "MIPS":
            self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
                                  capstone.CS_MODE_BIG_ENDIAN)
        else:
            raise NotImplementedError(
                "No disassembler available for this arch.")
github carbonblack / tic / mpesm / generate_mpesm_sig.py View on Github external
entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]
            elif entrypoint_type == 'old':
                found_section = False
                for sec in all_sections:
                    if entrypoint_address >= sec['addr'] and entrypoint_address < (sec['addr'] + sec['size']):
                        found_section = True
                        entrypoint_address = (entrypoint_address - sec['addr']) + sec['offset']
                        break

                if found_section:
                    entrypoint_offset = offset + entrypoint_address
                    entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]

            mode = CS_MODE_32
            if magic == 0xcffaedfe:
                mode = CS_MODE_64

            md = Cs(CS_ARCH_X86, mode)
            match = []  
            try:
                for (address, size, mnemonic, op_str) in md.disasm_lite(entrypoint_data, 0x1000):
                    match.append(mnemonic.encode('utf-8').strip())
            except Exception as e:
                print str(e)
            print 'mnemonics = ' + ','.join(match[:30])
github jchristman / PyDA / disassembler / formats / elf.py View on Github external
def __init__(self, binary, filename=None):
        magic_offset = 0
        if not binary[magic_offset : magic_offset + WORD] == '\x7FELF':
            raise BadMagicHeaderException()
        
        self.binary = binary
        self.filename = filename

        offset = 4
        self.bin_class = capstone.CS_MODE_32 if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_64
        self.word = ('Q' if self.bin_class == capstone.CS_MODE_64 else 'I', DWORD if self.bin_class == capstone.CS_MODE_64 else WORD)
        offset = 5
        self.endian = capstone.CS_MODE_LITTLE_ENDIAN if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_BIG_ENDIAN
        self.end = '<' if self.endian == capstone.CS_MODE_LITTLE_ENDIAN else '>'
        offset = 7
        os_values = {
                0x00 : 'System V',
                0x01 : 'HP-UX',
                0x02 : 'NetBSD',
                0x03 : 'Linux',
                0x06 : 'Solaris',
                0x07 : 'AIX',
                0x08 : 'IRIX',
                0x09 : 'FreeBSD',
                0x0C : 'OpenBSD'
                }
github google / rekall / rekall-core / rekall / plugins / windows / disassembler.py View on Github external
def __init__(self, mode):
        super(Capstone, self).__init__(mode)

        if self.mode == "I386":
            self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
        elif self.mode == "AMD64":
            self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
        elif self.mode == "MIPS":
            self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
                                  capstone.CS_MODE_BIG_ENDIAN)
        else:
            raise NotImplementedError(
                "No disassembler available for this arch.")
github williballenthin / python-idb / idb / idapython.py View on Github external
dis = None
        if procname == "arm" and bitness == 64:
            dis = self._load_dis(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM)
        elif procname == "arm" and bitness == 32:
            if size == 2:
                dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB)
            else:
                dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
        elif procname in ['metapc', '8086', '80286r', '80286p', '80386r', '80386p','80486r', '80486p', '80586r', '80586p', '80686p', 'k62', 'p2', 'p3', 'athlon', 'p4', '8085']:
            if bitness == 16:
                dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_16)
            elif bitness == 32:
                dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
            elif bitness == 64:
                dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
        elif procname == "mipsb":
            if bitness == 32:
                dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_BIG_ENDIAN)
            elif bitness == 64:
                dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_BIG_ENDIAN)
        elif procname == "mipsl":
            if bitness == 32:
                dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_LITTLE_ENDIAN)
            elif bitness == 64:
                dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_LITTLE_ENDIAN)

        if dis is None:
            raise NotImplementedError("unknown arch %s bit:%s inst_len:%d" % (procname, bitness, len(inst_buf)))
        dis.detail = True

        try:
github plasma-disassembler / plasma / plasma / lib / disassembler.py View on Github external
def __init__(self, filename, raw_type, raw_base, raw_big_endian, database):
        import capstone as CAPSTONE

        arch_lookup = {
            "x86": CAPSTONE.CS_ARCH_X86,
            "x64": CAPSTONE.CS_ARCH_X86,
            "ARM": CAPSTONE.CS_ARCH_ARM,
            "MIPS32": CAPSTONE.CS_ARCH_MIPS,
            "MIPS64": CAPSTONE.CS_ARCH_MIPS,
        }

        mode_lookup = {
            "x86": CAPSTONE.CS_MODE_32,
            "x64": CAPSTONE.CS_MODE_64,
            "ARM": CAPSTONE.CS_ARCH_ARM,
            "MIPS32": CAPSTONE.CS_MODE_MIPS32,
            "MIPS64": CAPSTONE.CS_MODE_MIPS64,
        }

        word_size_lookup = {
            "x86": 4,
            "x64": 8,
            "ARM": 4,
            "MIPS32": 4,
            "MIPS64": 8,
        }

        self.capstone_inst = {} # capstone instruction cache
        self.db = database