Next, we use the capstone disassembler to disassemble the code we extracted with pefile to get the assemble code.

As usual, we start by importing the required modules. Here, these are capstone and pefile:

from capstone import *
import pefile
pe = pefile.PE('md5sum.exe')
entryPoint = pe.OPTIONAL_HEADER.AddressOfEntryPoint
data = pe.get_memory_mapped_image()[entryPoint:]
cs = Cs(CS_ARCH_X86, CS_MODE_32)
for i in cs.disasm(data, 0x1000):
    print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))

The AddressofEntryPoint value within the IMAGE_OPTIONAL_HEADER is the pointer to the entry point function relative to the image base address. In the case of executable files, this is the exact point where the code of the application begins. So, we get the starting of the code with the help of pefile as pe.OPTIONAL_HEADER.AddressOfEntryPoint  and pass this to the disassembler.