How to use the capstone.CS_MODE_THUMB function in capstone
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ReFirmLabs / binwalk / src / binwalk / modules / disasm.py View on Github 
Architecture(type=capstone.CS_ARCH_MIPS,
mode=capstone.CS_MODE_64,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="MIPS executable code, 32/64-bit, big endian"),
Architecture(type=capstone.CS_ARCH_MIPS,
mode=capstone.CS_MODE_64,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="MIPS executable code, 32/64-bit, little endian"),
Architecture(type=capstone.CS_ARCH_ARM,
mode=capstone.CS_MODE_THUMB,
endianness=capstone.CS_MODE_LITTLE_ENDIAN,
description="ARM executable code, 16-bit (Thumb), little endian"),
Architecture(type=capstone.CS_ARCH_ARM,
mode=capstone.CS_MODE_THUMB,
endianness=capstone.CS_MODE_BIG_ENDIAN,
description="ARM executable code, 16-bit (Thumb), big endian"),
]
def init(self):
self.disassemblers = []
if not self.min_insn_count:
self.min_insn_count = self.DEFAULT_MIN_INSN_COUNT
self.disasm_data_size = self.min_insn_count * 10
for arch in self.ARCHITECTURES:
self.disassemblers.append((capstone.Cs(arch.type, (arch.mode + arch.endianness)), arch.description))
def scan_file(self, fp):def __setup_available_disassemblers(self):
arch_map = {
ARCH_ARM_MODE_ARM: CS_MODE_ARM,
ARCH_ARM_MODE_THUMB: CS_MODE_THUMB,
}
self._available_disassemblers = {
ARCH_ARM_MODE_ARM: Cs(CS_ARCH_ARM, arch_map[ARCH_ARM_MODE_ARM]),
ARCH_ARM_MODE_THUMB: Cs(CS_ARCH_ARM, arch_map[ARCH_ARM_MODE_THUMB]),
}
self._available_disassemblers[ARCH_ARM_MODE_ARM].detail = True
self._available_disassemblers[ARCH_ARM_MODE_THUMB].detail = Truedef print_disasm(self, code, startAddr, maxInstructions=None):
if not isCapstoneAvailable:
print "Warning: Disassembly is not available because the Capstone library is not installed"
return
pc = self.target.readCoreRegister('pc') & ~1
md = capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB)
addrLine = 0
text = ''
n = 0
for i in md.disasm(code, startAddr):
hexBytes = ''
for b in i.bytes:
hexBytes += '%02x' % b
pc_marker = '*' if (pc == i.address) else ' '
text += "{addr:#010x}:{pc_marker} {bytes:<10}{mnemonic:<8}{args}\n".format(addr=i.address, pc_marker=pc_marker, bytes=hexBytes, mnemonic=i.mnemonic, args=i.op_str)
n += 1
if (maxInstructions is not None) and (n >= maxInstructions):
break
print textdef init_disassembler_engine(self):
# init state for disasambler
# set capstone, lexer, asmline
arch, mode = self.plugin.hintDisasm()
self.disasm_engine = capstone.Cs(arch, mode)
self.disasm_engine.detail = True
if arch == capstone.CS_ARCH_X86:
Lexer = X86_Lexer()
if arch == capstone.CS_ARCH_ARM and mode in [capstone.CS_MODE_ARM, capstone.CS_MODE_THUMB]:
Lexer = ARM_Lexer()
if arch == capstone.CS_ARCH_ARM64:
Lexer = ARM64_Lexer()
# todo: ASM_ARM_Line?
self.ASMLine = ASMx86Line
Lexer.build()
self.lexer = Lexer.lexer()elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_X86, capstone.CS_MODE_32, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_X86, unicorn.UC_MODE_32, unicorn.UC_MODE_LITTLE_ENDIAN
elif is_x86_64(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_X86, keystone.KS_MODE_64, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_X86, capstone.CS_MODE_64, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_X86, unicorn.UC_MODE_64, unicorn.UC_MODE_LITTLE_ENDIAN
# arm
elif is_arm(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_ARM, keystone.KS_MODE_ARM, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_ARM, unicorn.UC_MODE_ARM, unicorn.UC_MODE_LITTLE_ENDIAN
elif is_arm_thumb(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_ARM, keystone.KS_MODE_THUMB, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_ARM, unicorn.UC_MODE_THUMB, unicorn.UC_MODE_LITTLE_ENDIAN
# aarch64
elif is_aarch64(a):
if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_ARM64, 0, keystone.KS_MODE_LITTLE_ENDIAN
elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM, capstone.CS_MODE_LITTLE_ENDIAN
else: arch, mode, endian = unicorn.UC_ARCH_ARM64, unicorn.UC_MODE_ARM, unicorn.UC_MODE_LITTLE_ENDIAN
# powerpc (uncomment when unicorn supports ppc)
# elif is_ppc(m):
# if lib=="keystone": arch, mode, endian = keystone.KS_ARCH_PPC, keystone.KS_MODE_PPC32, keystone.KS_MODE_BIG_ENDIAN
# elif lib=="capstone": arch, mode, endian = capstone.CS_ARCH_PPC, 0, capstone.CS_MODE_BIG_ENDIAN
# else: arch, mode, endian = unicorn.UC_ARCH_PPC, unicorn.UC_MODE_PPC32, unicorn.UC_MODE_BIG_ENDIAN
# mips/mips64
elif is_mips(a):if target is None:
target = pwnypack.target.target
if target.arch == pwnypack.target.Target.Arch.x86:
if target.bits is pwnypack.target.Target.Bits.bits_32:
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_32)
else:
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
elif target.arch == pwnypack.target.Target.Arch.arm:
mode = 0
if target.bits is pwnypack.target.Target.Bits.bits_32:
arch = capstone.CS_ARCH_ARM
if target.mode and pwnypack.target.Target.Mode.arm_thumb:
mode = capstone.CS_MODE_THUMB
else:
mode = capstone.CS_MODE_ARM
if target.mode and pwnypack.target.Target.Mode.arm_m_class:
mode |= capstone.CS_MODE_MCLASS
if target.mode and pwnypack.target.Target.Mode.arm_v8:
mode |= capstone.CS_MODE_V8
else:
arch = capstone.CS_ARCH_ARM64
if target.endian is pwnypack.target.Target.Endian.little:
mode |= capstone.CS_MODE_LITTLE_ENDIAN
else:
mode |= capstone.CS_MODE_BIG_ENDIAN
md = capstone.Cs(arch, mode)def setup_arm(self):
self.thumb = self.context.pc.thumb
if self.thumb:
self._current_cpu_mode = unicorn.UC_MODE_THUMB
self.cs = Cs(CS_ARCH_ARM, CS_MODE_THUMB)
self.uc = unicorn.Uc(unicorn.UC_ARCH_ARM, unicorn.UC_MODE_THUMB)
# Enable VFP instr
self.uc.mem_map(0x1000, 1024)
self.uc.mem_write(0x1000, binascii.unhexlify(VFP))
self.uc.emu_start(0x1000 | 1, 0x1000 + len(VFP))
self.uc.mem_unmap(0x1000, 1024)
else:
self.cs = Cs(CS_ARCH_ARM, CS_MODE_ARM)
self.uc = unicorn.Uc(unicorn.UC_ARCH_ARM, unicorn.UC_MODE_ARM)
self._current_cpu_mode = unicorn.UC_MODE_ARMcapstone.CS_MODE_16|capstone.CS_MODE_LITTLE_ENDIAN)),
(X86_32, LITTLE_ENDIAN): ((keystone.KS_ARCH_X86,
keystone.KS_MODE_32|keystone.KS_MODE_LITTLE_ENDIAN),
(capstone.CS_ARCH_X86,
capstone.CS_MODE_32|capstone.CS_MODE_LITTLE_ENDIAN)),
(X86_64, LITTLE_ENDIAN): ((keystone.KS_ARCH_X86, keystone.KS_MODE_64),
(capstone.CS_ARCH_X86,
capstone.CS_MODE_64|capstone.CS_MODE_LITTLE_ENDIAN)),
(ARM_16, BIG_ENDIAN): ((keystone.KS_ARCH_ARM,
keystone.KS_MODE_THUMB|keystone.KS_MODE_BIG_ENDIAN),
(capstone.CS_ARCH_ARM,
capstone.CS_MODE_THUMB|capstone.CS_MODE_BIG_ENDIAN)),
(ARM_16, LITTLE_ENDIAN): ((keystone.KS_ARCH_ARM,
keystone.KS_MODE_THUMB|keystone.KS_MODE_LITTLE_ENDIAN),
(capstone.CS_ARCH_ARM,
capstone.CS_MODE_THUMB|capstone.CS_MODE_LITTLE_ENDIAN)),
(ARM_32, BIG_ENDIAN): ((keystone.KS_ARCH_ARM,
keystone.KS_MODE_ARM|keystone.KS_MODE_BIG_ENDIAN),
(capstone.CS_ARCH_ARM,
capstone.CS_MODE_ARM|capstone.CS_MODE_BIG_ENDIAN)),
(ARM_32, LITTLE_ENDIAN): ((keystone.KS_ARCH_ARM,
keystone.KS_MODE_ARM|keystone.KS_MODE_LITTLE_ENDIAN),
(capstone.CS_ARCH_ARM,
capstone.CS_MODE_ARM|capstone.CS_MODE_LITTLE_ENDIAN)),
(ARM_64, LITTLE_ENDIAN): ((keystone.KS_ARCH_ARM64,
keystone.KS_MODE_LITTLE_ENDIAN),
(capstone.CS_ARCH_ARM64, capstone.CS_MODE_LITTLE_ENDIAN)),
(MIPS_32, BIG_ENDIAN): ((keystone.KS_ARCH_MIPS,
keystone.KS_MODE_32|keystone.KS_MODE_BIG_ENDIAN|keystone.KS_MODE_MIPS32),
(capstone.CS_ARCH_MIPS,
capstone.CS_MODE_32|capstone.CS_MODE_BIG_ENDIAN)),
(MIPS_32, LITTLE_ENDIAN): ((keystone.KS_ARCH_MIPS,#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
import capstone
import _any_capstone
arch_id = "arm_32"
dis_arm = capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_ARM)
dis_thumb = capstone.Cs(capstone.CS_ARCH_ARM, capstone.CS_MODE_THUMB)
def PROCESSOR_ENTRY():
return _any_capstone.Processor("arm_32", dis_arm, dis_thumb)
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const