Menu
▾
▴
capstone-users — Capstone mailing list for users
You can subscribe to this list here.
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(11) |
Dec
(11) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2014 |
Jan
(12) |
Feb
(3) |
Mar
(7) |
Apr
(4) |
May
(31) |
Jun
(2) |
Jul
(4) |
Aug
(2) |
Sep
(16) |
Oct
(13) |
Nov
(2) |
Dec
(25) |
| 2015 |
Jan
(28) |
Feb
(9) |
Mar
(7) |
Apr
(1) |
May
(3) |
Jun
(1) |
Jul
(3) |
Aug
(12) |
Sep
|
Oct
(11) |
Nov
(4) |
Dec
|
| 2016 |
Jan
(4) |
Feb
|
Mar
(8) |
Apr
|
May
(2) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
(1) |
Mar
(3) |
Apr
(2) |
May
(4) |
Jun
(6) |
Jul
(9) |
Aug
(2) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(7) |
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
|
Oct
(2) |
Nov
(7) |
Dec
(2) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(5) |
Apr
(1) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
(4) |
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: Nguyen A. Q. <aq...@gm...> - 2016-03-30 17:11:08
|
Dear Capstone/Unicorn users, We have passed the initial funding goal on IndieGogo in just 1 week! Thanks a lot to everybody who believed in this project and supported us, you are awesome! With about 10 more days to go, we decided to set out a new stretch goal of $15000 to do support more assembly syntaxes such as GNU Gas & Nasm. More information is available at http://www.keystone-engine.org/indiegogo2 Please help to spread the news, and support our campaign: https://igg.me/at/keystone/ Thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org On Thu, Mar 17, 2016 at 11:10 PM, Nguyen Anh Quynh <aq...@gm...> wrote: > Dear Capstone/Unicorn users, > > We are very excited to announce our IndieGogo campaign for Keystone > Engine, the next-gen assembler framework! > > Find more information at our IndieGogo page at https://igg.me/at/keystone/, > and our homepage at http://www.keystone-engine.org > > After Capstone & Unicorn, Keystone is the latest of our on-going effort to > bring better tools to the reverse-engineering community. Now with the final > missing piece Keystone, we complete the magical trilogy of disassembler - > emulator - assembler. > > Come support us, and help to spread the news, so together we can solve the > lingering problem of missing the assembler framework once, and for all! > > The Keystone name came from some private conversation with Felix “FX” > Lindner. Thanks for such a great inspiration, FX! > > Best, > Quynh > > http://www.capstone-engine.org > http://www.unicorn-engine.org > http://www.keystone-engine.org > |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-03-25 02:43:41
|
hi Per, thanks for reporting & also fixing the issue. would you mind sending a pull-request on Github for this issue? thanks, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org On Thu, Mar 24, 2016 at 8:44 AM, Per Mildner <pe...@si...> wrote: > On 64-bit PPC a branch, like “bce TARGET” gets the target truncated to > 32-bits. > > > 00003fff76030028 bge 0x760300c0 # this is really branching to > the ld instruction, below. > ... > 00003fff760300c0 ld r6, -8(r20) > > > I think the cause is the (int) cast in the following procedure, in > PPCInstPrinter.c: > > static void printAbsBranchOperand(MCInst *MI, unsigned OpNo, SStream *O) > { > int imm; > > if (!MCOperand_isImm(MCInst_getOperand(MI, OpNo))) { > printOperand(MI, OpNo, O); > return; > } > > imm = ((int)MCOperand_getImm(MCInst_getOperand(MI, OpNo)) << 2); > > if (!PPC_abs_branch(MI->csh, MCInst_getOpcode(MI))) { > imm = (int)MI->address + imm; > } > > SStream_concat(O, "0x%x", imm); > > if (MI->csh->detail) { > > MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].type > = PPC_OP_IMM; > > MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].imm > = imm; > MI->flat_insn->detail->ppc.op_count++; > } > } > > If I change that procedure, as follows, I get the correct result: > > 00003fff87940028 bge 0x3fff87940060 > ... > 00003fff87940060 ld r6, -8(r20) > > # New version, using int64_t instead of int > > static void printAbsBranchOperand(MCInst *MI, unsigned OpNo, SStream *O) > { > int64_t imm; > > if (!MCOperand_isImm(MCInst_getOperand(MI, OpNo))) { > printOperand(MI, OpNo, O); > return; > } > > imm = MCOperand_getImm(MCInst_getOperand(MI, OpNo)) << 2; > > if (!PPC_abs_branch(MI->csh, MCInst_getOpcode(MI))) { > imm = MI->address + imm; > } > > SStream_concat(O, "0x%"PRIx64, imm); > > if (MI->csh->detail) { > > MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].type > = PPC_OP_IMM; > > MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].imm > = imm; > MI->flat_insn->detail->ppc.op_count++; > } > } > > uname -a on this machine says: Linux ... 3.10.0-229.4.2.ael7b.ppc64le #1 > SMP Fri Apr 24 15:23:58 EDT 2015 ppc64le ppc64le ppc64le GNU/Linux > Capstone branch “next” at commit 16ae82e0fcd707466f27f4bf84afdbd13667e27d > > > Regards, > > Per Mildner Per...@si... > Swedish Institute of Computer Science > > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: Per M. <pe...@si...> - 2016-03-24 01:10:56
|
On 64-bit PPC a branch, like “bce TARGET” gets the target truncated to 32-bits.
00003fff76030028 bge 0x760300c0 # this is really branching to the ld instruction, below.
...
00003fff760300c0 ld r6, -8(r20)
I think the cause is the (int) cast in the following procedure, in PPCInstPrinter.c:
static void printAbsBranchOperand(MCInst *MI, unsigned OpNo, SStream *O)
{
int imm;
if (!MCOperand_isImm(MCInst_getOperand(MI, OpNo))) {
printOperand(MI, OpNo, O);
return;
}
imm = ((int)MCOperand_getImm(MCInst_getOperand(MI, OpNo)) << 2);
if (!PPC_abs_branch(MI->csh, MCInst_getOpcode(MI))) {
imm = (int)MI->address + imm;
}
SStream_concat(O, "0x%x", imm);
if (MI->csh->detail) {
MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].type = PPC_OP_IMM;
MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].imm = imm;
MI->flat_insn->detail->ppc.op_count++;
}
}
If I change that procedure, as follows, I get the correct result:
00003fff87940028 bge 0x3fff87940060
...
00003fff87940060 ld r6, -8(r20)
# New version, using int64_t instead of int
static void printAbsBranchOperand(MCInst *MI, unsigned OpNo, SStream *O)
{
int64_t imm;
if (!MCOperand_isImm(MCInst_getOperand(MI, OpNo))) {
printOperand(MI, OpNo, O);
return;
}
imm = MCOperand_getImm(MCInst_getOperand(MI, OpNo)) << 2;
if (!PPC_abs_branch(MI->csh, MCInst_getOpcode(MI))) {
imm = MI->address + imm;
}
SStream_concat(O, "0x%"PRIx64, imm);
if (MI->csh->detail) {
MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].type = PPC_OP_IMM;
MI->flat_insn->detail->ppc.operands[MI->flat_insn->detail->ppc.op_count].imm = imm;
MI->flat_insn->detail->ppc.op_count++;
}
}
uname -a on this machine says: Linux ... 3.10.0-229.4.2.ael7b.ppc64le #1 SMP Fri Apr 24 15:23:58 EDT 2015 ppc64le ppc64le ppc64le GNU/Linux
Capstone branch “next” at commit 16ae82e0fcd707466f27f4bf84afdbd13667e27d
Regards,
Per Mildner Per...@si...
Swedish Institute of Computer Science
|
|
From: Nguyen A. Q. <aq...@gm...> - 2016-03-22 12:09:22
|
On Tue, Mar 22, 2016 at 7:40 PM, Muhammad Usman Qureshi < muh...@ho...> wrote: > > > > Dear Sir/Madam, > Hello, > I want to convert/decompile attached elf sparc object file to a C source > code. Kindly advise how to do this. > I will be very grateful. > what you need is find a decompiler and use it on your object file. find some decompilers in this page: http://www.capstone-engine.org/showcase.html cheers, Quynh http://www.keystone-engine.org http://www.capstone-engine.org http://www.unicorn-engine.org > Many Thanks > M.Usman > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140 > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: Muhammad U. Q. <muh...@ho...> - 2016-03-22 11:40:49
|
Dear Sir/Madam,Hello, I want to convert/decompile attached elf sparc object file to a C source code. Kindly advise how to do this.I will be very grateful.Many ThanksM.Usman |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-03-17 15:10:38
|
Dear Capstone/Unicorn users, We are very excited to announce our IndieGogo campaign for Keystone Engine, the next-gen assembler framework! Find more information at our IndieGogo page at https://igg.me/at/keystone/, and our homepage at http://www.keystone-engine.org After Capstone & Unicorn, Keystone is the latest of our on-going effort to bring better tools to the reverse-engineering community. Now with the final missing piece Keystone, we complete the magical trilogy of disassembler - emulator - assembler. Come support us, and help to spread the news, so together we can solve the lingering problem of missing the assembler framework once, and for all! The Keystone name came from some private conversation with Felix “FX” Lindner. Thanks for such a great inspiration, FX! Best, Quynh http://www.capstone-engine.org http://www.unicorn-engine.org http://www.keystone-engine.org |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-01-19 14:22:12
|
Greetings, We are very excited to announce the new logo for Capstone disassembly engine! See our new shiny logo at http://www.capstone-engine.org/img/capstone.png We believe that this logo better reflects the spirit of our project, and also more suitable for Tshirts, stickers, mugs etc. We would like to thank Xipiter LLC for sponsoring us to redesign our logo! The generous & continuous supports from community like this is the main reason why we keep putting significant time and effort maintaining & developing Capstone! Thanks, Quynh http://www.capstone-engine.org http://www.unicorn-engine.org |
|
From: Rob H. <ro...@gm...> - 2016-01-18 06:52:06
|
Hi, Thanks for your answer. I have several issues with mcsema, that's why I was seeking alternatives... Thanks anyway! Best, R. 2016-01-16 10:06 GMT+01:00 Nguyen Anh Quynh <aq...@gm...>: > > On Fri, Jan 15, 2016 at 6:05 PM, Rob Heig <ro...@gm...> wrote: > >> Hi, >> >> I've just tried Capstone and it works great! >> I wonder if there is a quick way to get LLVM-IR as an output -- I am >> working on a small project where LLVM-IR is taken as input and optimized, >> but apparently there are no ASM->IR decompilers... >> > > you may consider to use McSema project for what you want: > > https://github.com/trailofbits/mcsema > > > Thanks, > Quynh > > http://www.capstone-engine.org > http://www.unicorn-engine.org > > |
|
From: Nguyen A. Q. <aq...@gm...> - 2016-01-16 09:07:19
|
On Fri, Jan 15, 2016 at 6:05 PM, Rob Heig <ro...@gm...> wrote: > Hi, > > I've just tried Capstone and it works great! > I wonder if there is a quick way to get LLVM-IR as an output -- I am > working on a small project where LLVM-IR is taken as input and optimized, > but apparently there are no ASM->IR decompilers... > you may consider to use McSema project for what you want: https://github.com/trailofbits/mcsema Thanks, Quynh http://www.capstone-engine.org http://www.unicorn-engine.org |
|
From: Rob H. <ro...@gm...> - 2016-01-15 10:05:20
|
Hi, I've just tried Capstone and it works great! I wonder if there is a quick way to get LLVM-IR as an output -- I am working on a small project where LLVM-IR is taken as input and optimized, but apparently there are no ASM->IR decompilers... Thanks a lot in advance! Rob |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-11-09 16:25:44
|
the related commit on bindings support for this API is at https://github.com/aquynh/capstone/commit/10647aef5899eb79171b1f39125983f7522b83d3 you can see here all the bindings got updated, but Java binding did not have the API supported yet. so i think you only need to add the API to Java to finish this job. just in case, for reference, see how Python supports this API. Thanks, Quynh http://www.capstone-engine.org http://www.unicorn-engine.org On Tue, Nov 10, 2015 at 12:17 AM, Philipp Roskosch < phi...@si...> wrote: > Hi, > > I looked inside the source code and it seems that everything is prepared > for operands and read/write-register-stuff. > > In Capstone.java line 447 we retrieve the information from the "Proxy > interface to Native Library". In my understanding java is talking to the > actual capstone implementation and then parses the results. When trying > to access the "detail-information" (like operands etc) (Capstone.java > line 138-151) these are not available. > > So I wonder which piece is missing in the implementation. If you can > give me some hint, I'll try to implement it. > > Best > Philipp > > > > On 09.11.2015 15:41, Nguyen Anh Quynh wrote: > > On Mon, Nov 9, 2015 at 10:31 PM, Philipp Roskosch < > > phi...@si...> wrote: > > > >> Hello everyone, > >> > >> I am trying to implement static analysis for ARM assembly using Capstone > >> and its Java bindings. The cs_regs_access() API is exactly what I was > >> looking for. Are there any examples for how to use it correctly? > >> > >> > > this API is not supported by Java binding in the "next" branch yet. > > if you can implement that, please send a pull request on Github. > > > > > > thanks. > > Q > > > > When trying to display every written and read register the regsWrite and > >> regsRead array is empty most of the times. Also instruction.operants.op > >> array is always empty. > >> > >> I turned on the details with "cs.setDetail(Capstone.CS_OPT_ON);". > >> Displaying accessed registers looks like this: > >> > >> for(short i: instruction.regsWrite) > >> System.out.println("Written: " + instruction.regName( i )); > >> > >> > >> Help is much appreciated! > >> > >> Best regards, > >> Philipp > >> > >> > >> > ------------------------------------------------------------------------------ > >> Presto, an open source distributed SQL query engine for big data, > initially > >> developed by Facebook, enables you to easily query your data on Hadoop > in a > >> more interactive manner. Teradata is also now providing full enterprise > >> support for Presto. Download a free open source copy now. > >> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > >> _______________________________________________ > >> Capstone-users mailing list > >> Cap...@li... > >> https://lists.sourceforge.net/lists/listinfo/capstone-users > >> > > > > > > > > > ------------------------------------------------------------------------------ > > Presto, an open source distributed SQL query engine for big data, > initially > > developed by Facebook, enables you to easily query your data on Hadoop > in a > > more interactive manner. Teradata is also now providing full enterprise > > support for Presto. Download a free open source copy now. > > http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > > > > > > > > _______________________________________________ > > Capstone-users mailing list > > Cap...@li... > > https://lists.sourceforge.net/lists/listinfo/capstone-users > > > > > ------------------------------------------------------------------------------ > Presto, an open source distributed SQL query engine for big data, initially > developed by Facebook, enables you to easily query your data on Hadoop in a > more interactive manner. Teradata is also now providing full enterprise > support for Presto. Download a free open source copy now. > http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: Philipp R. <phi...@si...> - 2015-11-09 16:17:38
|
Hi,
I looked inside the source code and it seems that everything is prepared
for operands and read/write-register-stuff.
In Capstone.java line 447 we retrieve the information from the "Proxy
interface to Native Library". In my understanding java is talking to the
actual capstone implementation and then parses the results. When trying
to access the "detail-information" (like operands etc) (Capstone.java
line 138-151) these are not available.
So I wonder which piece is missing in the implementation. If you can
give me some hint, I'll try to implement it.
Best
Philipp
On 09.11.2015 15:41, Nguyen Anh Quynh wrote:
> On Mon, Nov 9, 2015 at 10:31 PM, Philipp Roskosch <
> phi...@si...> wrote:
>
>> Hello everyone,
>>
>> I am trying to implement static analysis for ARM assembly using Capstone
>> and its Java bindings. The cs_regs_access() API is exactly what I was
>> looking for. Are there any examples for how to use it correctly?
>>
>>
> this API is not supported by Java binding in the "next" branch yet.
> if you can implement that, please send a pull request on Github.
>
>
> thanks.
> Q
>
> When trying to display every written and read register the regsWrite and
>> regsRead array is empty most of the times. Also instruction.operants.op
>> array is always empty.
>>
>> I turned on the details with "cs.setDetail(Capstone.CS_OPT_ON);".
>> Displaying accessed registers looks like this:
>>
>> for(short i: instruction.regsWrite)
>> System.out.println("Written: " + instruction.regName( i ));
>>
>>
>> Help is much appreciated!
>>
>> Best regards,
>> Philipp
>>
>>
>> ------------------------------------------------------------------------------
>> Presto, an open source distributed SQL query engine for big data, initially
>> developed by Facebook, enables you to easily query your data on Hadoop in a
>> more interactive manner. Teradata is also now providing full enterprise
>> support for Presto. Download a free open source copy now.
>> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
>> _______________________________________________
>> Capstone-users mailing list
>> Cap...@li...
>> https://lists.sourceforge.net/lists/listinfo/capstone-users
>>
>
>
>
> ------------------------------------------------------------------------------
> Presto, an open source distributed SQL query engine for big data, initially
> developed by Facebook, enables you to easily query your data on Hadoop in a
> more interactive manner. Teradata is also now providing full enterprise
> support for Presto. Download a free open source copy now.
> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
>
>
>
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>
|
|
From: Nguyen A. Q. <aq...@gm...> - 2015-11-09 14:42:05
|
On Mon, Nov 9, 2015 at 10:31 PM, Philipp Roskosch <
phi...@si...> wrote:
> Hello everyone,
>
> I am trying to implement static analysis for ARM assembly using Capstone
> and its Java bindings. The cs_regs_access() API is exactly what I was
> looking for. Are there any examples for how to use it correctly?
>
>
this API is not supported by Java binding in the "next" branch yet.
if you can implement that, please send a pull request on Github.
thanks.
Q
When trying to display every written and read register the regsWrite and
> regsRead array is empty most of the times. Also instruction.operants.op
> array is always empty.
>
> I turned on the details with "cs.setDetail(Capstone.CS_OPT_ON);".
> Displaying accessed registers looks like this:
>
> for(short i: instruction.regsWrite)
> System.out.println("Written: " + instruction.regName( i ));
>
>
> Help is much appreciated!
>
> Best regards,
> Philipp
>
>
> ------------------------------------------------------------------------------
> Presto, an open source distributed SQL query engine for big data, initially
> developed by Facebook, enables you to easily query your data on Hadoop in a
> more interactive manner. Teradata is also now providing full enterprise
> support for Presto. Download a free open source copy now.
> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
> _______________________________________________
> Capstone-users mailing list
> Cap...@li...
> https://lists.sourceforge.net/lists/listinfo/capstone-users
>
|
|
From: Philipp R. <phi...@si...> - 2015-11-09 14:32:04
|
Hello everyone,
I am trying to implement static analysis for ARM assembly using Capstone
and its Java bindings. The cs_regs_access() API is exactly what I was
looking for. Are there any examples for how to use it correctly?
When trying to display every written and read register the regsWrite and
regsRead array is empty most of the times. Also instruction.operants.op
array is always empty.
I turned on the details with "cs.setDetail(Capstone.CS_OPT_ON);".
Displaying accessed registers looks like this:
for(short i: instruction.regsWrite)
System.out.println("Written: " + instruction.regName( i ));
Help is much appreciated!
Best regards,
Philipp
|
|
From: Nguyen A. Q. <aq...@gm...> - 2015-10-28 05:24:37
|
yes, Jay explained it all very well, thanks! good luck to your presentation, Phil. thanks, Quynh On Wed, Oct 28, 2015 at 12:11 PM, Jay Oster <ja...@ko...> wrote: > It's probably helpful to keep in mind that Capstone is lower level than > applications like IDA Pro. In fact, Capstone is perfect for implementing > executable analysis applications (like IDA Pro); code flow analysis is just > one example of a feature that can be implemented with Capstone. The > framework is not opinionated about data representation or interpretation, > the only thing that matters is how you feed data to it. > > Capstone strives to be just as accurate as any other disassembler. That > means ideally it will be in parity with (or better than) any commercial > disassembler *per instruction*. If you want to go further (code flow, > function prologue/epilogue, function arguments, or any higher-order > analysis) ... you will be building that yourself. It's a tool to build a > tool. > > Let's take code flow analysis as an example: We're all familiar with the > tricks that attempt to defeat dumb disassemblers by jumping into the middle > of a variable-length instruction. Capstone has no intention of being one of > those dumb disassemblers that gets caught off-guard by this dumb trick. > Instead, it gives you the capability to determine > (instruction-by-instruction) where the jump target addresses point. Should > you feel the need to trace instructions from those targets, you will get > proper code-flow analysis (this is simplified of course; indirect jump > targets require extra state tracking, but that's a huge topic). > > That said, perhaps Capstone itself is too low-level for the needs in the > context of your talk. In that case, there are a number of frameworks built > on top of Capstone which provide some of the nice higher level features > that you are interested in. I won't enumerate them here, as I think the > Showcase page already does so: > http://www.capstone-engine.org/showcase.html > > I've RSVP'd for the meetup in anticipation that I will be available to > check it out. Hopefully I'll be there! :) > > Cheers, > Jay > > On Tue, Oct 27, 2015 at 8:38 AM, Phil Roth <pr...@en...> wrote: > >> Thanks for the responses. The Meetup is advertised here: >> http://www.meetup.com/Data-Mining-for-Cyber-Security/events/225431456/ >> My work with disassembly from capstone will be a small part of just one >> of the talks. But please come out if you’re interested. >> >> "what do you mean by "single pass disassembler"? this is how all the >> disassemblers work, not only Capstone.” >> I’m probably confusing reversing frameworks with disassemblers. It’s my >> understanding that Capstone will disassemble binary data as data is >> encountered, where as a reversing framework will analyze the entire input, >> figure out what the control flow is, and make decisions about functions, >> subroutines, and what is code and what is data. In the SciPy talk, I refer >> to all of this work as “doing an analysis pass” before getting disassembly. >> >> "also, can you elaborate where IDA produces better result?” >> In this case, the better result means that models trained on the >> disassembly do better in the machine learning competition metric. I ended >> the story here in the summer, but I’ve since been convinced that the better >> performance in the competition was great, but not really necessary in >> practice. >> >> "keep in mind that IDA is a complicated tool which does a lot more than >> just disassembling, why Capstone is designed to do just one simple thing: >> disassemble the binary you feed it. more complicated process must be done >> by your programs.” >> Definitely. I will stress this during the talk. And my current view is >> actually that the complications of running a full analysis tool like IDA is >> not worth the small performance gain. >> >> So my message is now edited to something like this: “Disassembled >> instructions are a great feature to use when classifying malware with >> machine learning models. I used capstone, a simple and easy to use >> disassembler, through its Python interface. If more complicated code >> analysis and reversing tools are used to generate the disassembled >> instructions, your classification models will provide slightly better >> results. I’ve found that the benefits of using the simpler tools outweigh >> the slightly degraded classification power." >> >> Phil Roth >> Data Scientist >> pr...@en... >> >> C: 240-997-8251 >> www.endgame.com >> >> ENDGAME >> >> >> From: Jay Oster <ja...@ko...> >> Date: Tuesday, October 27, 2015 at 1:56 AM >> To: "Capstone disassembly framework (www.capstone-engine.org)" < >> cap...@li...> >> Cc: Phil Roth <pr...@en...> >> Subject: Re: [Capstone-users] Capstone Engine is a Framework? >> >> Hi Phil, >> >> Which meetup will you be speaking at? I'll try to attend! (SF local >> here.) Also, I'd be willing to chat a bit in regard to Capstone, and share >> some thoughts and ideas. >> >> Cheers, >> Jay >> >> On Mon, Oct 26, 2015 at 7:49 PM, Nguyen Anh Quynh <aq...@gm...> >> wrote: >> >>> >>> >>> On Tue, Oct 27, 2015 at 2:30 AM, Phil Roth <pr...@en...> wrote: >>> >>>> Hi all, >>>> >>>> This past July, I gave a talk about using Python to examine malware: >>>> http://www.slideshare.net/mrphilroth/examining-malware-with-python >>>> https://www.youtube.com/watch?v=2gyAemhbxnE >>>> >>> >>> thanks for sharing this. it looks like a nice work, congrats! >>> >>> >>>> >>>> In it, I talk about using machine learning techniques to classify >>>> malware. Specifically, I compare the performance of classification models >>>> based on instructions generated by IDA Pro and instructions I generated >>>> myself with Capstone. Someone with this project made a comment about the >>>> talk on Twitter: >>>> https://twitter.com/capstone_engine/status/624580597650862080 >>>> >>>> Next month, I’m going to be giving a talk to a Meetup group in San >>>> Francisco where I’m going to include some of the same material. I wanted to >>>> check here before I give the talk so that I don’t misrepresent what >>>> Capstone is and is not. I don’t feel like I yet totally understand the >>>> issues behind that tweet. >>>> >>>> My message is going to be: “Disassembled instructions are a great >>>> feature to use when using machine learning models to classify malware. >>>> Results can vary based on what disassembler is used. I’ve found that a >>>> model based on features from a single pass disassembler like Capstone will >>>> produce slightly worse results than one based on IDA Pro disassembly. But >>>> the ease of use and repeatability of the results make it a better choice.” >>>> >>> >>> what do you mean by "single pass disassembler"? this is how all the >>> disassemblers work, not only Capstone. >>> >>> also, can you elaborate where IDA produces better result? >>> >>> keep in mind that IDA is a complicated tool which does a lot more than >>> just disassembling, why Capstone is designed to do just one simple thing: >>> disassemble the binary you feed it. more complicated process must be done >>> by your programs. >>> >>> >>> >>>> >>>> Is the error in those statements referring to Capstone Engine as the >>>> disassembler? Should I be referring to LLVM MC as the disassembler and >>>> Capstone as the framework through which I used it? Is there some other >>>> problem that I don’t yet understand? >>>> >>> >>> Capstone is based on LLVM MC, but we go far beyond that: >>> http://www.capstone-engine.org/beyond_llvm.html >>> >>> let me know if you have more questions, thanks. >>> >>> Quynh >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Capstone-users mailing list >>> Cap...@li... >>> https://lists.sourceforge.net/lists/listinfo/capstone-users >>> >>> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Capstone-users mailing list >> Cap...@li... >> https://lists.sourceforge.net/lists/listinfo/capstone-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: Jay O. <ja...@ko...> - 2015-10-28 04:11:27
|
It's probably helpful to keep in mind that Capstone is lower level than applications like IDA Pro. In fact, Capstone is perfect for implementing executable analysis applications (like IDA Pro); code flow analysis is just one example of a feature that can be implemented with Capstone. The framework is not opinionated about data representation or interpretation, the only thing that matters is how you feed data to it. Capstone strives to be just as accurate as any other disassembler. That means ideally it will be in parity with (or better than) any commercial disassembler *per instruction*. If you want to go further (code flow, function prologue/epilogue, function arguments, or any higher-order analysis) ... you will be building that yourself. It's a tool to build a tool. Let's take code flow analysis as an example: We're all familiar with the tricks that attempt to defeat dumb disassemblers by jumping into the middle of a variable-length instruction. Capstone has no intention of being one of those dumb disassemblers that gets caught off-guard by this dumb trick. Instead, it gives you the capability to determine (instruction-by-instruction) where the jump target addresses point. Should you feel the need to trace instructions from those targets, you will get proper code-flow analysis (this is simplified of course; indirect jump targets require extra state tracking, but that's a huge topic). That said, perhaps Capstone itself is too low-level for the needs in the context of your talk. In that case, there are a number of frameworks built on top of Capstone which provide some of the nice higher level features that you are interested in. I won't enumerate them here, as I think the Showcase page already does so: http://www.capstone-engine.org/showcase.html I've RSVP'd for the meetup in anticipation that I will be available to check it out. Hopefully I'll be there! :) Cheers, Jay On Tue, Oct 27, 2015 at 8:38 AM, Phil Roth <pr...@en...> wrote: > Thanks for the responses. The Meetup is advertised here: > http://www.meetup.com/Data-Mining-for-Cyber-Security/events/225431456/ > My work with disassembly from capstone will be a small part of just one of > the talks. But please come out if you’re interested. > > "what do you mean by "single pass disassembler"? this is how all the > disassemblers work, not only Capstone.” > I’m probably confusing reversing frameworks with disassemblers. It’s my > understanding that Capstone will disassemble binary data as data is > encountered, where as a reversing framework will analyze the entire input, > figure out what the control flow is, and make decisions about functions, > subroutines, and what is code and what is data. In the SciPy talk, I refer > to all of this work as “doing an analysis pass” before getting disassembly. > > "also, can you elaborate where IDA produces better result?” > In this case, the better result means that models trained on the > disassembly do better in the machine learning competition metric. I ended > the story here in the summer, but I’ve since been convinced that the better > performance in the competition was great, but not really necessary in > practice. > > "keep in mind that IDA is a complicated tool which does a lot more than > just disassembling, why Capstone is designed to do just one simple thing: > disassemble the binary you feed it. more complicated process must be done > by your programs.” > Definitely. I will stress this during the talk. And my current view is > actually that the complications of running a full analysis tool like IDA is > not worth the small performance gain. > > So my message is now edited to something like this: “Disassembled > instructions are a great feature to use when classifying malware with > machine learning models. I used capstone, a simple and easy to use > disassembler, through its Python interface. If more complicated code > analysis and reversing tools are used to generate the disassembled > instructions, your classification models will provide slightly better > results. I’ve found that the benefits of using the simpler tools outweigh > the slightly degraded classification power." > > Phil Roth > Data Scientist > pr...@en... > > C: 240-997-8251 > www.endgame.com > > ENDGAME > > > From: Jay Oster <ja...@ko...> > Date: Tuesday, October 27, 2015 at 1:56 AM > To: "Capstone disassembly framework (www.capstone-engine.org)" < > cap...@li...> > Cc: Phil Roth <pr...@en...> > Subject: Re: [Capstone-users] Capstone Engine is a Framework? > > Hi Phil, > > Which meetup will you be speaking at? I'll try to attend! (SF local here.) > Also, I'd be willing to chat a bit in regard to Capstone, and share some > thoughts and ideas. > > Cheers, > Jay > > On Mon, Oct 26, 2015 at 7:49 PM, Nguyen Anh Quynh <aq...@gm...> > wrote: > >> >> >> On Tue, Oct 27, 2015 at 2:30 AM, Phil Roth <pr...@en...> wrote: >> >>> Hi all, >>> >>> This past July, I gave a talk about using Python to examine malware: >>> http://www.slideshare.net/mrphilroth/examining-malware-with-python >>> https://www.youtube.com/watch?v=2gyAemhbxnE >>> >> >> thanks for sharing this. it looks like a nice work, congrats! >> >> >>> >>> In it, I talk about using machine learning techniques to classify >>> malware. Specifically, I compare the performance of classification models >>> based on instructions generated by IDA Pro and instructions I generated >>> myself with Capstone. Someone with this project made a comment about the >>> talk on Twitter: >>> https://twitter.com/capstone_engine/status/624580597650862080 >>> >>> Next month, I’m going to be giving a talk to a Meetup group in San >>> Francisco where I’m going to include some of the same material. I wanted to >>> check here before I give the talk so that I don’t misrepresent what >>> Capstone is and is not. I don’t feel like I yet totally understand the >>> issues behind that tweet. >>> >>> My message is going to be: “Disassembled instructions are a great >>> feature to use when using machine learning models to classify malware. >>> Results can vary based on what disassembler is used. I’ve found that a >>> model based on features from a single pass disassembler like Capstone will >>> produce slightly worse results than one based on IDA Pro disassembly. But >>> the ease of use and repeatability of the results make it a better choice.” >>> >> >> what do you mean by "single pass disassembler"? this is how all the >> disassemblers work, not only Capstone. >> >> also, can you elaborate where IDA produces better result? >> >> keep in mind that IDA is a complicated tool which does a lot more than >> just disassembling, why Capstone is designed to do just one simple thing: >> disassemble the binary you feed it. more complicated process must be done >> by your programs. >> >> >> >>> >>> Is the error in those statements referring to Capstone Engine as the >>> disassembler? Should I be referring to LLVM MC as the disassembler and >>> Capstone as the framework through which I used it? Is there some other >>> problem that I don’t yet understand? >>> >> >> Capstone is based on LLVM MC, but we go far beyond that: >> http://www.capstone-engine.org/beyond_llvm.html >> >> let me know if you have more questions, thanks. >> >> Quynh >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Capstone-users mailing list >> Cap...@li... >> https://lists.sourceforge.net/lists/listinfo/capstone-users >> >> > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: Phil R. <pr...@en...> - 2015-10-27 15:38:47
|
Thanks for the responses. The Meetup is advertised here: http://www.meetup.com/Data-Mining-for-Cyber-Security/events/225431456/ My work with disassembly from capstone will be a small part of just one of the talks. But please come out if you’re interested. "what do you mean by "single pass disassembler"? this is how all the disassemblers work, not only Capstone.” I’m probably confusing reversing frameworks with disassemblers. It’s my understanding that Capstone will disassemble binary data as data is encountered, where as a reversing framework will analyze the entire input, figure out what the control flow is, and make decisions about functions, subroutines, and what is code and what is data. In the SciPy talk, I refer to all of this work as “doing an analysis pass” before getting disassembly. "also, can you elaborate where IDA produces better result?” In this case, the better result means that models trained on the disassembly do better in the machine learning competition metric. I ended the story here in the summer, but I’ve since been convinced that the better performance in the competition was great, but not really necessary in practice. "keep in mind that IDA is a complicated tool which does a lot more than just disassembling, why Capstone is designed to do just one simple thing: disassemble the binary you feed it. more complicated process must be done by your programs.” Definitely. I will stress this during the talk. And my current view is actually that the complications of running a full analysis tool like IDA is not worth the small performance gain. So my message is now edited to something like this: “Disassembled instructions are a great feature to use when classifying malware with machine learning models. I used capstone, a simple and easy to use disassembler, through its Python interface. If more complicated code analysis and reversing tools are used to generate the disassembled instructions, your classification models will provide slightly better results. I’ve found that the benefits of using the simpler tools outweigh the slightly degraded classification power." Phil Roth Data Scientist pr...@en... C: 240-997-8251 www.endgame.com <http://www.endgame.com/> ENDGAME From: Jay Oster <ja...@ko...> Date: Tuesday, October 27, 2015 at 1:56 AM To: "Capstone disassembly framework (www.capstone-engine.org)" <cap...@li...> Cc: Phil Roth <pr...@en...> Subject: Re: [Capstone-users] Capstone Engine is a Framework? Hi Phil, Which meetup will you be speaking at? I'll try to attend! (SF local here.) Also, I'd be willing to chat a bit in regard to Capstone, and share some thoughts and ideas. Cheers, Jay On Mon, Oct 26, 2015 at 7:49 PM, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Tue, Oct 27, 2015 at 2:30 AM, Phil Roth <pr...@en...> wrote: >> Hi all, >> >> This past July, I gave a talk about using Python to examine malware: >> http://www.slideshare.net/mrphilroth/examining-malware-with-python >> https://www.youtube.com/watch?v=2gyAemhbxnE > > thanks for sharing this. it looks like a nice work, congrats! > >> >> In it, I talk about using machine learning techniques to classify malware. >> Specifically, I compare the performance of classification models based on >> instructions generated by IDA Pro and instructions I generated myself with >> Capstone. Someone with this project made a comment about the talk on Twitter: >> https://twitter.com/capstone_engine/status/624580597650862080 >> >> Next month, I’m going to be giving a talk to a Meetup group in San Francisco >> where I’m going to include some of the same material. I wanted to check here >> before I give the talk so that I don’t misrepresent what Capstone is and is >> not. I don’t feel like I yet totally understand the issues behind that tweet. >> >> My message is going to be: “Disassembled instructions are a great feature to >> use when using machine learning models to classify malware. Results can vary >> based on what disassembler is used. I’ve found that a model based on features >> from a single pass disassembler like Capstone will produce slightly worse >> results than one based on IDA Pro disassembly. But the ease of use and >> repeatability of the results make it a better choice.” > > what do you mean by "single pass disassembler"? this is how all the > disassemblers work, not only Capstone. > > also, can you elaborate where IDA produces better result? > > keep in mind that IDA is a complicated tool which does a lot more than just > disassembling, why Capstone is designed to do just one simple thing: > disassemble the binary you feed it. more complicated process must be done by > your programs. > > >> >> Is the error in those statements referring to Capstone Engine as the >> disassembler? Should I be referring to LLVM MC as the disassembler and >> Capstone as the framework through which I used it? Is there some other >> problem that I don’t yet understand? > > Capstone is based on LLVM MC, but we go far beyond that: > http://www.capstone-engine.org/beyond_llvm.html > > let me know if you have more questions, thanks. > > Quynh > > ------------------------------------------------------------------------------ > > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
|
From: Jay O. <ja...@ko...> - 2015-10-27 06:23:19
|
Hi Phil, Which meetup will you be speaking at? I'll try to attend! (SF local here.) Also, I'd be willing to chat a bit in regard to Capstone, and share some thoughts and ideas. Cheers, Jay On Mon, Oct 26, 2015 at 7:49 PM, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Tue, Oct 27, 2015 at 2:30 AM, Phil Roth <pr...@en...> wrote: > >> Hi all, >> >> This past July, I gave a talk about using Python to examine malware: >> http://www.slideshare.net/mrphilroth/examining-malware-with-python >> https://www.youtube.com/watch?v=2gyAemhbxnE >> > > thanks for sharing this. it looks like a nice work, congrats! > > >> >> In it, I talk about using machine learning techniques to classify >> malware. Specifically, I compare the performance of classification models >> based on instructions generated by IDA Pro and instructions I generated >> myself with Capstone. Someone with this project made a comment about the >> talk on Twitter: >> https://twitter.com/capstone_engine/status/624580597650862080 >> >> Next month, I’m going to be giving a talk to a Meetup group in San >> Francisco where I’m going to include some of the same material. I wanted to >> check here before I give the talk so that I don’t misrepresent what >> Capstone is and is not. I don’t feel like I yet totally understand the >> issues behind that tweet. >> >> My message is going to be: “Disassembled instructions are a great feature >> to use when using machine learning models to classify malware. Results can >> vary based on what disassembler is used. I’ve found that a model based on >> features from a single pass disassembler like Capstone will produce >> slightly worse results than one based on IDA Pro disassembly. But the ease >> of use and repeatability of the results make it a better choice.” >> > > what do you mean by "single pass disassembler"? this is how all the > disassemblers work, not only Capstone. > > also, can you elaborate where IDA produces better result? > > keep in mind that IDA is a complicated tool which does a lot more than > just disassembling, why Capstone is designed to do just one simple thing: > disassemble the binary you feed it. more complicated process must be done > by your programs. > > > >> >> Is the error in those statements referring to Capstone Engine as the >> disassembler? Should I be referring to LLVM MC as the disassembler and >> Capstone as the framework through which I used it? Is there some other >> problem that I don’t yet understand? >> > > Capstone is based on LLVM MC, but we go far beyond that: > http://www.capstone-engine.org/beyond_llvm.html > > let me know if you have more questions, thanks. > > Quynh > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-10-27 02:49:39
|
On Tue, Oct 27, 2015 at 2:30 AM, Phil Roth <pr...@en...> wrote: > Hi all, > > This past July, I gave a talk about using Python to examine malware: > http://www.slideshare.net/mrphilroth/examining-malware-with-python > https://www.youtube.com/watch?v=2gyAemhbxnE > thanks for sharing this. it looks like a nice work, congrats! > > In it, I talk about using machine learning techniques to classify malware. > Specifically, I compare the performance of classification models based on > instructions generated by IDA Pro and instructions I generated myself with > Capstone. Someone with this project made a comment about the talk on > Twitter: > https://twitter.com/capstone_engine/status/624580597650862080 > > Next month, I’m going to be giving a talk to a Meetup group in San > Francisco where I’m going to include some of the same material. I wanted to > check here before I give the talk so that I don’t misrepresent what > Capstone is and is not. I don’t feel like I yet totally understand the > issues behind that tweet. > > My message is going to be: “Disassembled instructions are a great feature > to use when using machine learning models to classify malware. Results can > vary based on what disassembler is used. I’ve found that a model based on > features from a single pass disassembler like Capstone will produce > slightly worse results than one based on IDA Pro disassembly. But the ease > of use and repeatability of the results make it a better choice.” > what do you mean by "single pass disassembler"? this is how all the disassemblers work, not only Capstone. also, can you elaborate where IDA produces better result? keep in mind that IDA is a complicated tool which does a lot more than just disassembling, why Capstone is designed to do just one simple thing: disassemble the binary you feed it. more complicated process must be done by your programs. > > Is the error in those statements referring to Capstone Engine as the > disassembler? Should I be referring to LLVM MC as the disassembler and > Capstone as the framework through which I used it? Is there some other > problem that I don’t yet understand? > Capstone is based on LLVM MC, but we go far beyond that: http://www.capstone-engine.org/beyond_llvm.html let me know if you have more questions, thanks. Quynh |
|
From: Phil R. <pr...@en...> - 2015-10-26 18:46:09
|
Hi all, This past July, I gave a talk about using Python to examine malware: http://www.slideshare.net/mrphilroth/examining-malware-with-python https://www.youtube.com/watch?v=2gyAemhbxnE In it, I talk about using machine learning techniques to classify malware. Specifically, I compare the performance of classification models based on instructions generated by IDA Pro and instructions I generated myself with Capstone. Someone with this project made a comment about the talk on Twitter: https://twitter.com/capstone_engine/status/624580597650862080 Next month, I’m going to be giving a talk to a Meetup group in San Francisco where I’m going to include some of the same material. I wanted to check here before I give the talk so that I don’t misrepresent what Capstone is and is not. I don’t feel like I yet totally understand the issues behind that tweet. My message is going to be: “Disassembled instructions are a great feature to use when using machine learning models to classify malware. Results can vary based on what disassembler is used. I’ve found that a model based on features from a single pass disassembler like Capstone will produce slightly worse results than one based on IDA Pro disassembly. But the ease of use and repeatability of the results make it a better choice.” Is the error in those statements referring to Capstone Engine as the disassembler? Should I be referring to LLVM MC as the disassembler and Capstone as the framework through which I used it? Is there some other problem that I don’t yet understand? Thanks for any feedback. Phil Roth Data Scientist pr...@en... C: 240-997-8251 www.endgame.com <http://www.endgame.com/> ENDGAME |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-10-15 05:35:26
|
On Thu, Oct 15, 2015 at 12:24 PM, Michael <ma...@gm...> wrote: > Hi, > > I just got Capstone today and wanted to try it out. It works fine (VS2013, > Windows 7 x64) but then I wanted to test whether the length of instructions > was correct. So I tried this code: > > http://ideone.com/tPzk26 > > And the output was: > > http://puu.sh/kKNjX/caebd34832.png > > Where the left hand side shows the size of the instructions. The first two > instructions are correct but the third instruction is wrong. It's supposed > to be 5 bytes in length. Proof: > > http://puu.sh/kKNmk/de31ae4a0c.png > > the above screenshot is confused: so is it "8b 05 b8 13 00", or "a1 8b 05 b8 13 00" ? Capstone is right here on your sample, in which: 8b 05 b8 13 00 = invalid instruction 8b 05 b8 13 00 00 = mov eax, dword ptr [0x13b8] thanks. |
|
From: Michael <ma...@gm...> - 2015-10-15 04:25:04
|
Hi, I just got Capstone today and wanted to try it out. It works fine (VS2013, Windows 7 x64) but then I wanted to test whether the length of instructions was correct. So I tried this code: http://ideone.com/tPzk26 And the output was: http://puu.sh/kKNjX/caebd34832.png Where the left hand side shows the size of the instructions. The first two instructions are correct but the third instruction is wrong. It's supposed to be 5 bytes in length. Proof: http://puu.sh/kKNmk/de31ae4a0c.png And Visual Studio's compiler thought it was 5 bytes too. Am I doing something wrong or is there an issue here? Thanks, Maktm |
|
From: Shubham T. <shu...@gm...> - 2015-10-14 06:02:45
|
Thank you for your help :) On Wed, Oct 14, 2015 at 11:27 AM, Nguyen Anh Quynh <aq...@gm...> wrote: > > > On Wed, Oct 14, 2015 at 1:50 PM, Shubham Tripathi <shu...@gm...> > wrote: > >> Hello everyone, >> >> I am analyzing crash dumps using capstone. Is there a feature to generate >> control flow graphs in capstone? Kindly let me know the API for this. I am >> interested in an ingestible graph. >> >> > no, Capstone is only for disassembling. So to do what you want, you have > to generate the CFG yourself by analyzing basic blocks, tracking indirect > branches, etc > > >> If not then how can I use capstone to generate a CFG. Please point me to >> some resources. >> > > it is a good idea to learn how to do this from open source projects. a > simple project like this: > https://github.com/lawlrenz/recursive_disassembler > > you can find a lot more projects on binary analysis at > http://www.capstone-engine.org/showcase.html > > hope this helps. > Quynh > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > -- Shubham Tripathi IIIT,Hyderabad |
|
From: Nguyen A. Q. <aq...@gm...> - 2015-10-14 05:57:43
|
On Wed, Oct 14, 2015 at 1:50 PM, Shubham Tripathi <shu...@gm...> wrote: > Hello everyone, > > I am analyzing crash dumps using capstone. Is there a feature to generate > control flow graphs in capstone? Kindly let me know the API for this. I am > interested in an ingestible graph. > > no, Capstone is only for disassembling. So to do what you want, you have to generate the CFG yourself by analyzing basic blocks, tracking indirect branches, etc > If not then how can I use capstone to generate a CFG. Please point me to > some resources. > it is a good idea to learn how to do this from open source projects. a simple project like this: https://github.com/lawlrenz/recursive_disassembler you can find a lot more projects on binary analysis at http://www.capstone-engine.org/showcase.html hope this helps. Quynh |
|
From: Shubham T. <shu...@gm...> - 2015-10-14 05:50:41
|
Hello everyone, I am analyzing crash dumps using capstone. Is there a feature to generate control flow graphs in capstone? Kindly let me know the API for this. I am interested in an ingestible graph. If not then how can I use capstone to generate a CFG. Please point me to some resources. Thanks & Regards, -- Shubham Tripathi IIIT,Hyderabad |
