Capstone – a lightweight multi-platform, multi-architecture disassembly framework.

Features

• Support hardware architectures: ARM, ARM64 (aka ARMv8), Mips, PowerPC & X86 (more details).
• Clean/simple/lightweight/intuitive architecture-neutral API.
• Provide details on disassembled instruction (called “decomposer” by others).
• Provide some semantics of the disassembled instruction, such as list of implicit registers read & written.
• Implemented in pure C language, with bindings for Python, Ruby, OCaml, C#, Java and GO available.
• Native support for Windows & *nix (including MacOSX, Linux, *BSD & Solaris platforms).
• Thread-safe by design.
• Distributed under the open source BSD license.

Capstone offers some unparalleled features in comparison with alternative disassembly frameworks.

Multiple architectures

Capstone is one of a very few disassembly frameworks that can support multi-architectures. So far, it can handle 4 most important architectures: ARM, ARM64 (aka ARMv8/AArch64), Mips, PowerPC & X86. More will be added in the future when possible.

Updated

As far as we are aware, in all 4 architectures, Capstone can handle more instructions than other frameworks. Especially, it even supports most modern CPU extensions & is guaranteed to remain updated in the future.

Clean, simple & intuitive architecture-neutral API

Clean & intuitive is the key principle in designing the API for Capstone. The interface has always been as simple as possible. It would take a new user just few minutes to understand & start writing his own tool based on available samples accompanying Capstone source code.

Even better, the API is independent of the hardwares, so your analysis tool can work in the same way across all the architectures.

Detailed instruction information

Capstone breaks down instruction information, making it straightforward to access to instruction operands & other internal instruction data.

This feature is called “decomposer” by some alternatives, but Capstone is the only framework having this across all the architectures, in seamless way.

Instruction semantics

Capstone provides some important semantics of the disassembled instruction, such as list of implicit registers read & written, or if this instruction belongs to a group of instructions (such as ARM Neon group, or Intel SSE4.2 group). Now writing your own machine code normalization becomes easier than ever.

Zero barrier

Implemented in pure C language, framework is easy to be adopted for your low-level tool. Furthermore, lightweight & efficient bindings for popular languages such as Python, Ruby, OCaml, C#, Java & Go are also available.

Note that all of our the bindings are all manually coded, since we do not want to rely on bloated SWIG for wrapping.

Multiple platforms

With native support for Windows & *nix (confirmed to work on OSX, Linux, *BSD & Solaris), framework is available for your tools regardless of the platform.

Thread-safe

Thread-safe is the first priority when designing & implementing Capstone. Thanks to this feature, your tools can disassemble binary code in multiple threads without any issue.

Liberal license

Capstone has been released under the BSD open source license. Thus there is no obligation, except products using Capstone need to redistribute file LICENSE.TXT found the source in the same packages.

more information can be found at: http://www.capstone-engine.org/download.html

Capstone disassembly/disassembler framework: Core (Arm, Arm64, Mips, PPC, Sparc, SystemZ, X86, X86_64, XCore) + bindings (Python, Java, Ocaml)

Capstone is a disassembly framework with the target of becoming the ultimate
disasm engine for binary analysis and reversing in the security community.

Created by Nguyen Anh Quynh, then developed and maintained by a small community,
Capstone offers some unparalleled features:

- Support multiple hardware architectures: ARM, ARM64 (ARMv8), Mips, PPC, Sparc,
  SystemZ, XCore and X86 (including X86_64).

- Having clean/simple/lightweight/intuitive architecture-neutral API.

- Provide details on disassembled instruction (called “decomposer” by others).

- Provide semantics of the disassembled instruction, such as list of implicit
  registers read & written.

- Implemented in pure C language, with lightweight wrappers for C++, C#, Go,
  Java, Lua, NodeJS, Ocaml, Python, Ruby & Vala ready (available in main code,
  or provided externally by the community).

- Native support for all popular platforms: Windows, Mac OSX, iOS, Android,
  Linux, *BSD, Solaris, etc.

- Thread-safe by design.

- Special support for embedding into firmware or OS kernel.

- High performance & suitable for malware analysis (capable of handling various
  X86 malware tricks).

- Distributed under the open source BSD license.

Further information is available at http://www.capstone-engine.org


[Compile]

See COMPILE.TXT file for how to compile and install Capstone.


[Documentation]

See docs/README for how to customize & program your own tools with Capstone.


[Hack]

See HACK.TXT file for the structuture of the source code.


[License]

This project is released under the BSD license. If you redistribute the binary
or source code of Capstone, please attach file LICENSE.TXT with your products.

The Capstone Project can be found on: https://github.com/aquynh/capstone