Does the Captone python module support an exe as input, or does the data need to be an isolated instruction binary?

Question

Some disassemblers like IDA or Ghidra take an exe and output the instructions. Other disassemblers require the user to parse the PE header, isolate binary for the instructions and pass that in.

I'm trying to learn to use the Capstone Python API, but the .py documentation only ever shows a buffer of isolated instructions being passed, like so:

# test1.py
from capstone import *

CODE = b"\x55\x48\x8b\x05\xb8\x13\x00\x00"

md = Cs(CS_ARCH_X86, CS_MODE_64)
for i in md.disasm(CODE, 0x1000):
    print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))

But I want to do something like:

CODE = open("test.exe", "rb")

Without having to personally parse the PE headers to isolate the instruction data. Does Captone's API support this?

score 1 · Accepted Answer · answered May 25 '21 at 00:24

1

Capstone is architecture-independent. It doesn't understand PE files or elf files. You just feed it bytes of machine language for whatever processor you have.

answered May 25 '21 at 00:24

Tim Roberts

48,973
4
21
30

Does the Captone python module support an exe as input, or does the data need to be an isolated instruction binary?

1 Answers1