0

I am using the Capstone disassembler to extract instruction sequences from PE binaries. The binaries have been compiled for different architectures. Capstone handles this with "mode" and "arch" parameters. However, if the correct mode/arch parameters are not used, then the function does not parse correctly.

Is there a way to determine what mode/arch parameters should be used? Right now, I try and use several different combinations of the parameters in a loop and simply select the combination that works. Code below:

    import capstone as cs
    binary = open("some_file.exe", "rb").read()
    for arch in (cs.CS_ARCH_X86,):
        for mode in (cs.CS_MODE_16, cs.CS_MODE_32, cs.CS_MODE_64):
            md = cs.Cs(arch, mode)
            instructions = list(md.disasm_lite(binary, 0x0))
            if instructions != []:
                break

What I would like to do is something more like this:

    import capstone as cs
    binary = open("some_file.exe", "rb").read()
    arch = cs.get_architecture(binary)  # Not an actual function
    mode = cs.get_mode(binary)          # Not an actual function
    md = cs.Cs(arch, mode)
    instructions = list(md.disasm_lite(binary, 0x0))

Does Capstone implement this functionality? Any alternative tool suggestions would be appreciated as well.

Luke Kurlandski
  • 81
  • 5
  • AFAIK there's no such functionality; but if you are analyzing PE files, you just need to read the PE headers and use them to determine the arch and mode ( see `IMAGE_FILE_HEADER.Machine` and `IMAGE_OPTIONAL_HEADER.Magic` fields). You may use, for ex., the `pefile` or `lief` python packages to read PE files. – Neitsa Oct 24 '22 at 16:44

0 Answers0