How to use the capstone.CS_MODE_LITTLE_ENDIAN function in capstone
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
jchristman / PyDA / disassembler / formats / elf.py View on Github 
def __init__(self, binary, filename=None):
magic_offset = 0
if not binary[magic_offset : magic_offset + WORD] == '\x7FELF':
raise BadMagicHeaderException()
self.binary = binary
self.filename = filename
offset = 4
self.bin_class = capstone.CS_MODE_32 if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_64
self.word = ('Q' if self.bin_class == capstone.CS_MODE_64 else 'I', DWORD if self.bin_class == capstone.CS_MODE_64 else WORD)
offset = 5
self.endian = capstone.CS_MODE_LITTLE_ENDIAN if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_BIG_ENDIAN
self.end = '<' if self.endian == capstone.CS_MODE_LITTLE_ENDIAN else '>'
offset = 7
os_values = {
0x00 : 'System V',
0x01 : 'HP-UX',
0x02 : 'NetBSD',
0x03 : 'Linux',
0x06 : 'Solaris',
0x07 : 'AIX',
0x08 : 'IRIX',
0x09 : 'FreeBSD',
0x0C : 'OpenBSD'
}
self.os = os_values[unpack('B', self.binary[offset : offset + BYTE])[0]]
offset = 0x10
type_values = {self.vex_arch = "VexArchARM"
self.vex_endness = "VexEndnessLE" if endness == "Iend_LE" else "VexEndnessBE"
self.name = "ARM"
self.qemu_name = 'arm'
self.ida_processor = 'armb'
self.max_inst_bytes = 4
self.ip_offset = 68
self.sp_offset = 60
self.bp_offset = 60
self.ret_offset = 8
self.call_pushes_ret = False
self.stack_change = -4
self.memory_endness = endness
self.register_endness = endness
self.cs_arch = _capstone.CS_ARCH_ARM
self.cs_mode = _capstone.CS_MODE_LITTLE_ENDIAN if endness == 'Iend_LE' else _capstone.CS_MODE_BIG_ENDIAN
#self.ret_instruction = "\x0E\xF0\xA0\xE1" # this is mov pc, lr
self.ret_instruction = "\x1E\xFF\x2F\xE1" # this is bx lr
self.nop_instruction = "\x00\x00\x00\x00"
if endness == "Iend_LE":
self.function_prologs = {
r"[\x00-\xff][\x00-\xff]\x2d\xe9", # stmfd sp!, {xxxxx}
}
else:
self.function_prologs = {
r"\xe9\x2d[\x00-\xff][\x00-\xff]", # stmfd sp!, {xxxxx}
}
self.instruction_alignment = 4
self.concretize_unique_registers.add(64)
self.default_register_values = [
( 'sp', self.initial_sp, True, 'global' ), # the stack
( 0x188, 0x00000000, False, None ) # part of the thumb conditional flagsself.vex_endness = "VexEndnessLE" if endness == "Iend_LE" else "VexEndnessBE"
self.name = "PPC64"
self.qemu_name = 'ppc64'
self.ida_processor = 'ppc64'
self.max_inst_bytes = 4
self.ip_offset = 1296
self.sp_offset = 24
self.bp_offset = 136
self.ret_offset = 8
self.call_pushes_ret = False
self.stack_change = -8
self.initial_sp = 0xffffffffff000000
self.memory_endness = endness
self.register_endness = endness
self.cs_arch = _capstone.CS_ARCH_PPC
self.cs_mode = _capstone.CS_MODE_64 + (_capstone.CS_MODE_LITTLE_ENDIAN if endness == 'Iend_LE' else _capstone.CS_MODE_BIG_ENDIAN)
self.ret_instruction = "\x4e\x80\x00\x20"
self.nop_instruction = "\x60\x00\x00\x00"
self.instruction_alignment = 4
self.persistent_regs = [ 'r2' ]
if endness == "Iend_LE":
self.function_prologs = {
r"\x94\x21\xff",
r"\x7c\x08\x02\xa6",
r"\x94\x21\xfe"
} # 4e800020: blr
else:
self.function_prologs = {
r"\xff\x21\x94",
r"\xa6\x02\x08\x7c",
r"\xfe\x21\x94",database.reverse_demangled = self.binary.reverse_demangled
database.imports = self.binary.imports
else:
self.binary.symbols = database.symbols
self.binary.reverse_symbols = database.reverse_symbols
self.binary.demangled = database.demangled
self.binary.reverse_demangled = database.reverse_demangled
self.binary.imports = database.imports
cs_arch = arch_lookup.get(self.binary.arch, None)
cs_mode = mode_lookup.get(self.binary.arch, None)
if self.is_big_endian:
cs_mode |= CAPSTONE.CS_MODE_BIG_ENDIAN
else:
cs_mode |= CAPSTONE.CS_MODE_LITTLE_ENDIAN
self.capstone = CAPSTONE
self.md = CAPSTONE.Cs(cs_arch, cs_mode)
self.md.detail = True
for s in self.binary.iter_sections():
s.big_endian = cs_mode & CAPSTONE.CS_MODE_BIG_ENDIANdef __init__(self, binary, filename=None):
magic_offset = 0
if not binary[magic_offset : magic_offset + WORD] == '\x7FELF':
raise BadMagicHeaderException()
self.binary = binary
self.filename = filename
offset = 4
self.bin_class = capstone.CS_MODE_32 if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_64
self.word = ('Q' if self.bin_class == capstone.CS_MODE_64 else 'I', DWORD if self.bin_class == capstone.CS_MODE_64 else WORD)
offset = 5
self.endian = capstone.CS_MODE_LITTLE_ENDIAN if unpack('B', self.binary[offset : offset + BYTE])[0] == 1 else capstone.CS_MODE_BIG_ENDIAN
self.end = '<' if self.endian == capstone.CS_MODE_LITTLE_ENDIAN else '>'
offset = 7
os_values = {
0x00 : 'System V',
0x01 : 'HP-UX',
0x02 : 'NetBSD',
0x03 : 'Linux',
0x06 : 'Solaris',
0x07 : 'AIX',
0x08 : 'IRIX',
0x09 : 'FreeBSD',
0x0C : 'OpenBSD'
}
self.os = os_values[unpack('B', self.binary[offset : offset + BYTE])[0]]
offset = 0x10
type_values = {
1 : 'relocatable',def disassemble(code, addr):
cs = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64 + capstone.CS_MODE_LITTLE_ENDIAN)
for i in cs.disasm(code, addr):
return iself.vex_endness = "VexEndnessLE"
self.name = "X86"
self.qemu_name = 'i386'
self.ida_processor = 'metapc'
self.max_inst_bytes = 15
self.call_sp_fix = -8
self.ip_offset = 68
self.sp_offset = 24
self.bp_offset = 28
self.ret_offset = 8
self.call_pushes_ret = True
self.stack_change = -4
self.memory_endness = "Iend_LE"
self.register_endness = "Iend_LE"
self.cs_arch = _capstone.CS_ARCH_X86
self.cs_mode = _capstone.CS_MODE_32 + _capstone.CS_MODE_LITTLE_ENDIAN
self.function_prologs = {
r"\x55\x8b\xec", # push ebp; mov ebp, esp
r"\x55\x89\xe5", # push ebp; mov ebp, esp
}
self.ret_instruction = "\xc3"
self.nop_instruction = "\x90"
self.instruction_alignment = 1
self.default_register_values = [
( 'esp', self.initial_sp, True, 'global' ) # the stack
]
self.entry_register_values = {
'eax': 0x1C,
'edx': 'ld_destructor',
'ebp': 0
}
self.default_symbolic_registers = [ 'eax', 'ecx', 'edx', 'ebx', 'esp', 'ebp', 'esi', 'edi', 'eip' ]]
KWARGS = [
Kwarg(name='enabled', default=False),
Kwarg(name='keep_going', default=False),
Kwarg(name='min_insn_count', default=DEFAULT_MIN_INSN_COUNT),
]
ARCHITECTURES = [
Architecture(type=capstone.CS_ARCH_ARM,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="ARM executable code, 32-bit, big endian"),
Architecture(type=capstone.CS_ARCH_ARM,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="ARM executable code, 32-bit, little endian"),
Architecture(type=capstone.CS_ARCH_ARM64,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="ARM executable code, 64-bit, big endian"),
Architecture(type=capstone.CS_ARCH_ARM64,
mode=capstone.CS_MODE_ARM,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="ARM executable code, 64-bit, little endian"),
Architecture(type=capstone.CS_ARCH_PPC,
mode=capstone.CS_MODE_BIG_ENDIAN,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="PPC executable code, 32/64-bit, big endian"),
Architecture(type=capstone.CS_ARCH_MIPS,elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS32, capstone.CS_MODE_BIG_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_MIPS, unicorn.UC_MODE_MIPS32, unicorn.UC_MODE_BIG_ENDIAN
elif is_mips64(a):
if a.endianness==Endianness.LITTLE:
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_MIPS, keystone.KS_MODE_MIPS64, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_MIPS, unicorn.UC_MODE_MIPS64, unicorn.UC_MODE_LITTLE_ENDIAN
else:
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_MIPS, keystone.KS_MODE_MIPS64, keystone.KS_MODE_BIG_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_MIPS, capstone.CS_MODE_MIPS64, capstone.CS_MODE_BIG_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_MIPS, unicorn.UC_MODE_MIPS64, unicorn.UC_MODE_BIG_ENDIAN
# sparc/sparc64
elif is_sparc(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_SPARC, keystone.KS_MODE_SPARC32, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_SPARC, 0, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_SPARC, unicorn.UC_MODE_SPARC32, unicorn.UC_MODE_LITTLE_ENDIAN
elif is_sparc(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_SPARC, keystone.KS_MODE_SPARC64, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_SPARC, 0, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_SPARC, unicorn.UC_MODE_SPARC64, unicorn.UC_MODE_LITTLE_ENDIAN
if arch is None and mode is None and endian is None:
raise Exception("Failed to get architecture parameter from mode")
return arch, mode, endian# Convert IDA architectures IDs to our own.
if architecture == "ppc": # FIXME : pyelftools does not recognize
# PowerPC architecture, hence does not
# return its type.
raise PimpMyRideException("PowerPC is unsupported.")
elif architecture == "MIPS":
cur_arch = uc.UC_ARCH_MIPS
if is_little_endian:
cur_mode = uc.UC_MODE_MIPS32 + uc.UC_MODE_LITTLE_ENDIAN
else:
cur_mode = uc.UC_MODE_MIPS32 + uc.UC_MODE_BIG_ENDIAN
cs_arch = cs.CS_ARCH_MIPS
if is_little_endian:
cs_mode = cs.CS_MODE_MIPS32 + cs.CS_MODE_LITTLE_ENDIAN
else:
cs_mode = cs.CS_MODE_MIPS32 + cs.CS_MODE_BIG_ENDIAN
elif architecture == "ARM":
#if self.mode == uc.UC_MODE_ARM:
#elif self.mode == uc.UC_MODE_THUMB:
cur_arch = uc.UC_ARCH_ARM
cur_mode = uc.UC_MODE_ARM
cs_arch = cs.CS_ARCH_ARM
cs_mode = cs.CS_MODE_ARM
elif architecture == "AArch64":
cur_arch = uc.UC_ARCH_ARM64
cur_mode = uc.UC_MODE_ARM
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const