capstone disassembler python returns same instructions on every offset

Question

I am trying to disassambe a PE file using capstone with python bindings.

import pefile
from capstone import *

exe_file = 'C:\\Users\\Philip\\file.exe'
pe = pefile.PE(exe_file)

# find text section
offset = False
for section in pe.sections:
    if section.Name == b'.text\x00\x00\x00':
        offset = section.VirtualAddress
        break

with open(exe_file, 'rb') as f:
    code = f.read()

# start disassembling text section
md = Cs(CS_ARCH_X86, CS_MODE_32)
md.detail = True
if offset:
    for i in md.disasm(code, offset):
        print('0x%x:\t%s\t%s' % (i.address, i.mnemonic, i.op_str))

But it keeps returning the same ASM instructions at every offset.

0x1000: dec ebp
0x1001: pop edx
0x1002: nop 
0x1003: add byte ptr [ebx], al
0x1005: add byte ptr [eax], al
0x1007: add byte ptr [eax + eax], al
0x100a: add byte ptr [eax], al

for i in md.disasm(code, 0x2000):
        print('0x%x:\t%s\t%s' %(i.address, i.mnemonic, i.op_str))

0x2000: dec ebp
0x2001: pop edx
0x2002: nop 
0x2003: add byte ptr [ebx], al
0x2005: add byte ptr [eax], al
0x2007: add byte ptr [eax + eax], al
0x200a: add byte ptr [eax], al

And if i keep looping il get an endless stream of the same output.

from typing import Iterable, Any, Tuple

def signal_last(it: Iterable[Any]) -> Iterable[Tuple[bool, Any]]:
    iterable = iter(it)
    ret_var = next(iterable)
    for value in iterable:
        yield False, ret_var
        ret_var = value
    yield True, ret_var

offset = 0x1000
while True:
    for last, i in signal_last(md.disasm(code, offset)):
        print('0x%x:\t%s\t%s' % (i.address, i.mnemonic, i.op_str))
        if last:
            offset = i.address + 1

0xbc113:    dec ebp
0xbc114:    pop edx
0xbc115:    nop 
0xbc116:    add byte ptr [ebx], al
0xbc118:    add byte ptr [eax], al
0xbc11a:    add byte ptr [eax + eax], al
0xbc11d:    add byte ptr [eax], al
0xbc11e:    dec ebp
0xbc11f:    pop edx
0xbc120:    nop 
0xbc121:    add byte ptr [ebx], al
0xbc123:    add byte ptr [eax], al
0xbc125:    add byte ptr [eax + eax], al
0xbc128:    add byte ptr [eax], al
0xbc129:    dec ebp
0xbc12a:    pop edx
0xbc12b:    nop 
0xbc12c:    add byte ptr [ebx], al
0xbc12e:    add byte ptr [eax], al
0xbc130:    add byte ptr [eax + eax], al
0xbc133:    add byte ptr [eax], al
0xbc134:    dec ebp
0xbc135:    pop edx
0xbc136:    nop 
0xbc137:    add byte ptr [ebx], al
0xbc139:    add byte ptr [eax], al
0xbc13b:    add byte ptr [eax + eax], al
0xbc13e:    add byte ptr [eax], al
0xbc13f:    dec ebp
0xbc140:    pop edx
0xbc141:    nop 
0xbc142:    add byte ptr [ebx], al
0xbc144:    add byte ptr [eax], al
0xbc146:    add byte ptr [eax + eax], al
0xbc149:    add byte ptr [eax], al
0xbc14a:    dec ebp
0xbc14b:    pop edx
0xbc14c:    nop 
0xbc14d:    add byte ptr [ebx], al
0xbc14f:    add byte ptr [eax], al
0xbc151:    add byte ptr [eax + eax], al
0xbc154:    add byte ptr [eax], al
0xbc155:    dec ebp
0xbc156:    pop edx
0xbc157:    nop 
0xbc158:    add byte ptr [ebx], al
0xbc15a:    add byte ptr [eax], al
0xbc15c:    add byte ptr [eax + eax], al
0xbc15f:    add byte ptr [eax], al
0xbc160:    dec ebp
0xbc161:    pop edx
0xbc162:    nop 
0xbc163:    add byte ptr [ebx], al
0xbc165:    add byte ptr [eax], al
0xbc167:    add byte ptr [eax + eax], al
0xbc16a:    add byte ptr [eax], al
0xbc16b:    dec ebp
0xbc16c:    pop edx
0xbc16d:    nop 
0xbc16e:    add byte ptr [ebx], al
0xbc170:    add byte ptr [eax], al
0xbc172:    add byte ptr [eax + eax], al
0xbc175:    add byte ptr [eax], al

Does anyone know what i am doing wrong? Because i don't think this is how Capstone is supposed to work.

Answer 1

Disasm will disassemble from start of code. You should pass raw data corresponding to code section, not the beginning of PE file, where PE headers reside:

import pefile
from capstone import *

exe_file = 'C:\\Users\\Philip\\file.exe'
pe = pefile.PE(exe_file)

# find text section
offset = False
for section in pe.sections:
    if section.Name == b'.text\x00\x00\x00':
        offset = section.VirtualAddress
        codePtr = section.PointerToRawData
        codeEndPtr = codePtr+section.SizeOfRawData
        break

code = pe.get_memory_mapped_image()[codePtr:codeEndPtr]

# start disassembling text section
md = Cs(CS_ARCH_X86, CS_MODE_32)
md.detail = True
if offset:
    for i in md.disasm(code, offset):
        print('0x%x:\t%s\t%s' % (i.address, i.mnemonic, i.op_str))