Capstone is a disassembly framework with the target of becoming the ultimate disasm engine for binary analysis and reversing in the security community. Created by Nguyen Anh Quynh, then developed and maintained by a small community, Capstone offers some unparalleled features:
Support multiple hardware architectures: ARM, ARM64 (aka ARMv8), Mips & X86
Having clean/simple/lightweight/intuitive architecture-neutral API
Provide details on disassembled instruction (called “decomposer” by others)
Provide semantics of the disassembled instruction, such as list of implicit registers read & written
Implemented in pure C language, with lightweight wrappers for C++, Python, Ruby, OCaml, C#, Java and Go available
Native support for Windows & *nix platforms (MacOSX, Linux & *BSD confirmed)
Thread-safe by design.
Capstone offers some unparalleled features in comparison with alternative disassembly frameworks.
Capstone is one of a very few disassembly frameworks that can support multi-architectures. So far, it can handle 4 most important architectures: ARM, ARM64 (aka ARMv8/AArch64), Mips, PowerPC & X86. More will be added in the future when possible.
As far as we are aware, in all 4 architectures, Capstone can handle more instructions than other frameworks. Especially, it even supports most modern CPU extensions & is guaranteed to remain updated in the future.
Clean, simple & intuitive architecture-neutral API
Clean & intuitive is the key principle in designing the API for Capstone. The interface has always been as simple as possible. It would take a new user just few minutes to understand & start writing his own tool based on available samples accompanying Capstone source code.
Even better, the API is independent of the hardwares, so your analysis tool can work in the same way across all the architectures.
Detailed instruction information
Capstone breaks down instruction information, making it straightforward to access to instruction operands & other internal instruction data.
This feature is called “decomposer” by some alternatives, but Capstone is the only framework having this across all the architectures, in seamless way.
Capstone provides some important semantics of the disassembled instruction, such as list of implicit registers read & written, or if this instruction belongs to a group of instructions (such as ARM Neon group, or Intel SSE4.2 group). Now writing your own machine code normalization becomes easier than ever.
Implemented in pure C language, framework is easy to be adopted for your low-level tool. Furthermore, lightweight & efficient bindings for popular languages such as Python, Ruby, OCaml, C#, Java & Go are also available.
Note that all of our the bindings are all manually coded, since we do not want to rely on bloated SWIG for wrapping.
With native support for Windows & *nix (confirmed to work on OSX, Linux, *BSD & Solaris), framework is available for your tools regardless of the platform.
Thread-safe is the first priority when designing & implementing Capstone. Thanks to this feature, your tools can disassemble binary code in multiple threads without any issue.
Capstone has been released under the BSD open source license. Thus there is no obligation, except products using Capstone need to redistribute file LICENSE.TXT found the source in the same packages.
Disassembling X86 binary, and prints out its assembly using python script with Capstone Library.:
Python Script :
# test1.py from capstone import * CODE = b"\x55\x48\x8b\x05\xb8\x13\x00\x00" md = Cs(CS_ARCH_X86, CS_MODE_64) for i in md.disasm(CODE, 0x1000): print("0x%x:\t%s\t%s" %(i.address, i.mnemonic, i.op_str))
$ python test1.py 0x1000: push rbp 0x1001: mov rax, qword ptr [rip + 0x13b8]