How to use capstone - 10 common examples
To help you get started, we’ve selected a few capstone examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
gereeter / hsdecomp / hsdecomp / machine.py View on Github 
def simulate(self, instructions):
for insn in instructions:
if insn.mnemonic == 'add':
assert insn.operands[1].type == capstone.x86.X86_OP_IMM
self.store(insn.operands[0], ptrutil.pointer_offset(self.settings, self.load(insn.operands[0]), insn.operands[1].imm))
if insn.operands[0].type == capstone.x86.X86_OP_REG and base_register(insn.operands[0].reg) == self.settings.rt.heap_register:
self.heap += [None] * (insn.operands[1].imm // self.settings.rt.word.size)
elif insn.mnemonic == 'mov':
self.store(insn.operands[0], self.load(insn.operands[1]))
elif insn.mnemonic == 'lea':
self.store(insn.operands[0], self.read_memory_operand(insn.operands[1].mem))def test(function):
print("")
print("=== Function %s ===" % function.__name__)
print("")
native, asm = compiler.compile_function(function)
try:
print("Native code:")
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_64)
for i in md.disasm(asm.raw, asm.address):
print(" 0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str))
if i.mnemonic == "ret":
break
print("")
except NameError:
pass
test_function(function, native)X86_GRP_SGX: "sgx",
X86_GRP_DQI: "dqi",
X86_GRP_BWI: "bwi",
X86_GRP_PFI: "pfi",
X86_GRP_VLX: "vlx",
X86_GRP_SMAP: "smap",
X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:X86_GRP_PFI: "pfi",
X86_GRP_VLX: "vlx",
X86_GRP_SMAP: "smap",
X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:
print('Skipping %s' %t.name)X86_GRP_SMAP: "smap",
X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:
print('Skipping %s' %t.name)X86_GRP_DQI: "dqi",
X86_GRP_BWI: "bwi",
X86_GRP_PFI: "pfi",
X86_GRP_VLX: "vlx",
X86_GRP_SMAP: "smap",
X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:
print('Skipping %s' %t.name)X86_GRP_SGX: "sgx",
X86_GRP_DQI: "dqi",
X86_GRP_BWI: "bwi",
X86_GRP_PFI: "pfi",
X86_GRP_VLX: "vlx",
X86_GRP_SMAP: "smap",
X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:
print('Skipping %s' %t.name)}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:
print('Skipping %s' %t.name)X86_GRP_BWI: "bwi",
X86_GRP_PFI: "pfi",
X86_GRP_VLX: "vlx",
X86_GRP_SMAP: "smap",
X86_GRP_NOVLX: "novlx",
}
xcore_dict = {
XCORE_GRP_JUMP: "jump",
}
tests = [
GroupTest('arm', CS_ARCH_ARM, CS_MODE_THUMB, arm_dict),
GroupTest('arm64', CS_ARCH_ARM64, CS_MODE_ARM, arm64_dict),
GroupTest('mips', CS_ARCH_MIPS, CS_MODE_MIPS32 | CS_MODE_BIG_ENDIAN, mips_dict),
GroupTest('ppc', CS_ARCH_PPC, CS_MODE_BIG_ENDIAN, ppc_dict),
GroupTest('sparc', CS_ARCH_SPARC, CS_MODE_BIG_ENDIAN, sparc_dict),
GroupTest('sysz', CS_ARCH_SYSZ, CS_MODE_BIG_ENDIAN, sysz_dict),
GroupTest('x86', CS_ARCH_X86, CS_MODE_32, x86_dict),
GroupTest('xcore', CS_ARCH_XCORE, CS_MODE_BIG_ENDIAN, xcore_dict),
GroupTest('m68k', CS_ARCH_M68K, CS_MODE_BIG_ENDIAN, xcore_dict),
]
if __name__ == '__main__':
args = sys.argv[1:]
all = len(args) == 0 or 'all' in args
for t in tests:
if all or t.name in args:
t.run()
else:
print('Skipping %s' %t.name)
Popular capstone functions
- capstone.bindings.python.capstone.__init__.CsError
- capstone.capdb.models.CaseMetadata
- capstone.capdb.models.Citation
- capstone.Cs
- capstone.CS_ARCH_ARM
- capstone.CS_ARCH_ARM64
- capstone.CS_ARCH_MIPS
- capstone.CS_ARCH_X86
- capstone.CS_MODE_32
- capstone.CS_MODE_64
- capstone.CS_MODE_ARM
- capstone.CS_MODE_BIG_ENDIAN
- capstone.CS_MODE_LITTLE_ENDIAN
- capstone.CS_MODE_THUMB
- capstone.suite.test_group_name.GroupTest
- capstone.x86
- capstone.x86.X86_OP_IMM
- capstone.x86.X86_OP_MEM
- capstone.x86.X86_OP_REG
- capstone.x86_const