How to use the capstone.CS_MODE_64 function in capstone
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Cisco-Talos / pyrebox / volatility / volatility / framework / plugins / windows / handles.py View on Github 
return None
virtual_layer_name = self.config['primary']
kvo = self.context.layers[virtual_layer_name].config['kernel_virtual_offset']
ntkrnlmp = self.context.module(self.config["nt_symbols"], layer_name = virtual_layer_name, offset = kvo)
try:
func_addr = ntkrnlmp.get_symbol("ObpCaptureHandleInformationEx").address
except exceptions.SymbolError:
return None
data = self.context.layers.read(virtual_layer_name, kvo + func_addr, 0x200)
if data == None:
return None
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
for (address, size, mnemonic, op_str) in md.disasm_lite(data, kvo + func_addr):
# print("{} {} {} {}".format(address, size, mnemonic, op_str))
if mnemonic.startswith("sar"):
# if we don't want to parse op strings, we can disasm the
# single sar instruction again, but we use disasm_lite for speed
self._sar_value = int(op_str.split(",")[1].strip(), 16)
break
return self._sar_valuedef run(self, arg=0):
try:
addr = idaapi.get_screen_ea()
# print("Addr: " + str(addr))
fcn_name = idc.GetFunctionName(addr)
print("----------------------------------------------------------------------------------------------------------")
print("SAFE Signature For Function: " + fcn_name)
info = idaapi.get_inf_structure()
if info.procName == 'metapc':
arch = capstone.CS_ARCH_X86
if info.is_64bit():
mode = capstone.CS_MODE_64
elif info.is_32bit():
mode = capstone.CS_MODE_32
start = idc.get_func_attr(addr, idc.FUNCATTR_START)
# print("Start: " + str(start))
obj = disassemble_func(start)
function = list_functions_to_disassembled([obj], arch, mode)[0]
prepappend = 'X_'
inst = [prepappend + x for x in function[1]]
converter = InstructionsConverter(os.path.join(idc.GetIdaDirectory(), "plugins", "word2id.json"))
normalizer = FunctionNormalizer(150)def decompile_until(self, input):
ssa.ssa_context_t.index = 0
if self.arch == 'x86':
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
dis = host.dis.available_disassemblers['capstone'].create(md, input)
elif self.arch == 'x86-64':
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
dis = host.dis.available_disassemblers['capstone'].create(md, input)
else:
raise RuntimeError('no such architecture: %s' % (self.arch, ))
dec = decompiler.decompiler_t(dis, 0)
dec.calling_convention = self.callconv
dec.step_until(self.step_until)
return decentrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]
elif entrypoint_type == 'old':
found_section = False
for sec in all_sections:
if entrypoint_address >= sec['addr'] and entrypoint_address < (sec['addr'] + sec['size']):
found_section = True
entrypoint_address = (entrypoint_address - sec['addr']) + sec['offset']
break
if found_section:
entrypoint_offset = offset + entrypoint_address
entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]
mode = CS_MODE_32
if magic == 0xcffaedfe:
mode = CS_MODE_64
md = Cs(CS_ARCH_X86, mode)
match = []
if entrypoint_data:
try:
for (address, size, mnemonic, op_str) in md.disasm_lite(entrypoint_data, 0x1000):
match.append(mnemonic.encode('utf-8').strip())
except Exception as e:
print str(e)
for s in signatures:
m = match
sig = signatures[s]['mnemonics']
if m and m[0] == sig[0] or THRESHOLD < .7:
additional_info = []
if 'num_mnemonics' in signatures[s]:def __init__(self, mode):
super(Capstone, self).__init__(mode)
if self.mode == "I386":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif self.mode == "AMD64":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif self.mode == "MIPS":
self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
capstone.CS_MODE_BIG_ENDIAN)
else:
raise NotImplementedError(
"No disassembler available for this arch.")entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]
elif entrypoint_type == 'old':
found_section = False
for sec in all_sections:
if entrypoint_address >= sec['addr'] and entrypoint_address < (sec['addr'] + sec['size']):
found_section = True
entrypoint_address = (entrypoint_address - sec['addr']) + sec['offset']
break
if found_section:
entrypoint_offset = offset + entrypoint_address
entrypoint_data = macho_data[entrypoint_offset:entrypoint_offset+500]
mode = CS_MODE_32
if magic == 0xcffaedfe:
mode = CS_MODE_64
md = Cs(CS_ARCH_X86, mode)
match = []
try:
for (address, size, mnemonic, op_str) in md.disasm_lite(entrypoint_data, 0x1000):
match.append(mnemonic.encode('utf-8').strip())
except Exception as e:
print str(e)
print 'mnemonics = ' + ','.join(match[:30])def __init__(self, binary, filename=None):
magic_offset = 0
if not binary[magic_offset : magic_offset + WORD] == '\x7FELF':
raise BadMagicHeaderException()
self.binary = binary
self.filename = filename
offset = 4
self.bin_class = capstone.CS_MODE_32 if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_64
self.word = ('Q' if self.bin_class == capstone.CS_MODE_64 else 'I', DWORD if self.bin_class == capstone.CS_MODE_64 else WORD)
offset = 5
self.endian = capstone.CS_MODE_LITTLE_ENDIAN if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_BIG_ENDIAN
self.end = '<' if self.endian == capstone.CS_MODE_LITTLE_ENDIAN else '>'
offset = 7
os_values = {
0x00 : 'System V',
0x01 : 'HP-UX',
0x02 : 'NetBSD',
0x03 : 'Linux',
0x06 : 'Solaris',
0x07 : 'AIX',
0x08 : 'IRIX',
0x09 : 'FreeBSD',
0x0C : 'OpenBSD'
}def __init__(self, mode):
super(Capstone, self).__init__(mode)
if self.mode == "I386":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif self.mode == "AMD64":
self.cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif self.mode == "MIPS":
self.cs = capstone.Cs(capstone.CS_ARCH_MIPS, capstone.CS_MODE_32 +
capstone.CS_MODE_BIG_ENDIAN)
else:
raise NotImplementedError(
"No disassembler available for this arch.")dis = None
if procname == "arm" and bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM)
elif procname == "arm" and bitness == 32:
if size == 2:
dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB)
else:
dis = self._load_dis(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
elif procname in ['metapc', '8086', '80286r', '80286p', '80386r', '80386p','80486r', '80486p', '80586r', '80586p', '80686p', 'k62', 'p2', 'p3', 'athlon', 'p4', '8085']:
if bitness == 16:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_16)
elif bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif procname == "mipsb":
if bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_BIG_ENDIAN)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_BIG_ENDIAN)
elif procname == "mipsl":
if bitness == 32:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32 | capstone.CS_MODE_LITTLE_ENDIAN)
elif bitness == 64:
dis = self._load_dis(capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64 | capstone.CS_MODE_LITTLE_ENDIAN)
if dis is None:
raise NotImplementedError("unknown arch %s bit:%s inst_len:%d" % (procname, bitness, len(inst_buf)))
dis.detail = True
try:def __init__(self, filename, raw_type, raw_base, raw_big_endian, database):
import capstone as CAPSTONE
arch_lookup = {
"x86": CAPSTONE.CS_ARCH_X86,
"x64": CAPSTONE.CS_ARCH_X86,
"ARM": CAPSTONE.CS_ARCH_ARM,
"MIPS32": CAPSTONE.CS_ARCH_MIPS,
"MIPS64": CAPSTONE.CS_ARCH_MIPS,
}
mode_lookup = {
"x86": CAPSTONE.CS_MODE_32,
"x64": CAPSTONE.CS_MODE_64,
"ARM": CAPSTONE.CS_ARCH_ARM,
"MIPS32": CAPSTONE.CS_MODE_MIPS32,
"MIPS64": CAPSTONE.CS_MODE_MIPS64,
}
word_size_lookup = {
"x86": 4,
"x64": 8,
"ARM": 4,
"MIPS32": 4,
"MIPS64": 8,
}
self.capstone_inst = {} # capstone instruction cache
self.db = database
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const