Skip to content

Latest commit

 

History

History
1071 lines (538 loc) · 55.7 KB

showcase.md

File metadata and controls

1071 lines (538 loc) · 55.7 KB
Raw
layout title
default
Showcases

Showcase

In our knowledge, Capstone has been used by 508 following products (listed in no particular order).

  • Skorpio: Cross-platform-architecture Dynamic Instrumentation Framework (PDF).

  • Qiling: Cross-platform & multi-architecture lightweight sandbox.

  • Unicorn: Lightweight multi-arch, multi-platform CPU emulator framework.

  • Keystone: Lightweight multi-arch, multi-platform assembler framework.

  • CEnigma: Web-based disassembler tool that is simple, easy, fast & user-friendly. (inactive now)

  • CEbot: A Twitter bot for binary-reversing right from Twitter account. (inactive now)

  • Camal: Coseinc automated malware analysis lab.

  • Radare2: Unix-like reverse engineering framework and commandline tools.

  • Pyew: a Python tool for static malware analysis.

  • WinAppDbg: Code instrumentation scripts in Python under a Windows environment.

  • PowerSploit: PowerShell Post-Exploitation Framework.

  • MachOView: Visual Mach-O file browser that allows exploring and in-place editing Intel and ARM binaries.

  • RopShell: Free online ROP gadgets search.

  • ROPgadget: Gadgets finder and auto-roper.

  • Frida: Inject JavaScript code into native apps on Windows, Mac, Linux and iOS.

  • The-Backdoor-Factory: Patch Win86/64 PE and Linux86/64 binaries with shellcode.

  • BDFProxy: Patch Binaries via MITM (BackdoorFactory + mitmProxy).

  • Cuckoo: Open source automated malware analysis system.

  • Cerbero Profiler: Malware and forensic analysis tool.

  • CryptoShark: Cross-platform interactive debugger (powered by Frida).

  • Ropper: Rop gadget and binary information tool.

  • Snowman: A native code to C/C++ decompiler.

  • Concolica: Python concolic execution framework for program analysis.

  • Memtools Vita: Toolkit to explore PlayStation Vita firmware.

  • BARF: Multiplatform open source Binary Analysis and Reverse engineering Framework.

  • rp++: Full-cpp written tool to find ROP sequences in PE/Elf/Mach-O x86/x64/ARM binaries.

  • Binwalk: Firmware analysis tool.

  • MPRESS dumper: Unpacking tool for some HackingTeam’s OS X malware.

  • Xipiter toolkit: Miscellaneous tools for various security tasks.

  • Sonare: Qt-based disassembly viewer.

  • PyDA: Python DisAssembler.

  • Qira: QEMU Interactive Runtime Analyser.

  • Rekall: Rekall Memory Forensic Framework.

  • Inficere: MacOSX rootkit (for learning purpose)

  • Pwntools: CTF framework used by Gallopsled in every CTF.

  • Bokken: GUI for the Pyew malware analysis tool and Radare reverse engineering framework.

  • Webkitties: PlayStation Vita Webkit Exploit / Mini SDK and Testing Framework.

  • Malware_config_parsers: A collection of public malware config parsers.

  • Nightmare: A distributed fuzzing testing suite with web administration.

  • Catfish: A tool to ease the process of finding ROP gadgets & creating payloads with them.

  • JSoS-Module-Dump: PlayStation Vita module dumper.

  • Vitasploit: PlayStation Vita native exploitation framework.

  • PowerShellArsenal: A PowerShell Module Dedicated to Reverse Engineering.

  • PyReil: REIL translation library.

  • ARMSCGen: Shellcodes for ARM/Thumb mode.

  • Shwass: Mach-O Executables Analyzer & Disassembler.

  • Nrop: Automated Return-Oriented Programming Chaining.

  • lldb-capstone-arm: Disassemble scripts for LLDB (for Arm & Arm64)

  • Capstone.js: JavaScript wrapper over an Emscripten build of Capstone.

  • ELF Unstrip Tool: Generate unstripped binary from an ELF strip binary.

  • Binjitsu: CTF framework and exploit development library.

  • Rop-tool: A tool to help you writing binary exploits.

  • JitAsm: JIT Assembler Library for multiple ISAs.

  • OllyCapstone: A plugin for OllyDbg 1.10 to replace the old disasm engine with Capstone.

  • PackerId: A fork of packerid.py with disassembly support.

  • UEFI_boot_script_expl: CHIPSEC module to exploit UEFI boot script table vulnerability.

  • Symx: Lightweight Symbolic Execution Engine.

  • ArmExec: Android native runtime emulator.

  • Capstone View for IDA: A plugin to use Capstone to display code instead of IDA's own disassembly engine.

  • Honggfuzz: A general-purpose fuzzer with simple, command-line interface.

  • Triad decompiler: A tiny, free and open source decompiler that will take ELF files as input and spit out pseudo-C.

  • SemTrax: Data Tracking for Binary Software.

  • Senseye: Dynamic Visual Debugging / Reverse Engineering Toolsuite.

  • Plasma: Reverse engineering tool for x86/ARM. Generates indented pseudo-C with colored syntax code.

  • Binflow: A fast & multi-thread support tool to trace function calls in ELF binaries.

  • OpenREIL: Translator and tools for REIL (Reverse Engineering Intermediate Language).

  • PREF: Portable Reverse Engineering Framework that aims to be the swiss army knife for Reverse Engineering.

  • Pwnypack: Certified Edible Dinosaurs official CTF toolkit.

  • GEF: Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers.

  • Hopper: A reverse engineering tool to disassemble/decompile/debug Intel Mac, Linux, Windows & iOS executables.

  • Pysymemu: An Intel 64 symbolic emulator.

  • Decompiler: A decompiler with multiple backend support, written in Python.

  • ArkDasm: 64-bit interactive disassembler for Windows.

  • SM64tools: Collection of tools for manipulating the Super Mario 64 ROM.

  • ViDi: Visual Disassembler for static analysis of PE files.

  • Volatility_plugins: A collection of plugins for the Volatility framework.

  • ThunderGate: An open source toolkit for PCI bus exploration.

  • Visulator: A machine emulator that visualizes how each instruction is processed.

  • Psce4all: PlayStation Console Emulators For All.

  • Pwndbg: A Python plugin of GDB to assist exploit development.

  • IntelliJ IDEA: A Java IDE.

  • Binch: A light ELF binary patch tool in python urwid.

  • Ropchain: X86 systematic ROP payload generation (with API to customize payload).

  • PyOCD: Python library for programming and debugging ARM Cortex-M microcontrollers using CMSIS-DAP.

  • Okita: a set of proof-of-concepts to disassemble binaries to assembly.

  • Angr: A framework for static & dynamic concolic (symbolic) analysis.

  • Shellyzer-Gui: a GUI application that helps to analyze shellcode.

  • Xenia: Xbox 360 Emulator Research Project.

  • CodeReason: Semantic Binary Code Analysis Framework

  • Haka: a toolsuite to capture TCP/IP packets and filtering them based on Lua policy files.

  • Gcov: GNU gcov like tool.

  • Anticuckoo: A tool to detect and crash Cuckoo Sandbox.

  • EmilPRO: Graphical disassembler for a large number of instruction sets.

  • NextGen: A Genetic File, Sycall and Network Fuzzer for Unix systems.

  • Imatinib: Instrumentation tool that uses the only inline patch hooking.

  • PolyHook: X86/X64 hooking library.

  • Harpoon: Lightweight runtime hooking library for OS X.

  • fcd: A LLVM-based native program decompiler

  • MemoryPatchDetector: Detects code differentials between executables in disk and processes/modules in memory.

  • Mpesm: Identify the compiler/packer/cryptor of PE files.

  • Silicon-disassembler: A high-performance, asynchronous web-component disassembler.

  • peCloakCapstone: A tool to encoder Windows PE files to bypass AntiVirus detection.

  • Reko: A multi-architecture decompiler.

  • Usercon: User-space system emulator.

  • Lyn: Python binding for GNU lighning.

  • Edb: A cross platform x86/x86-64 debugger.

  • Unicorn-decoder: A shellcode decoder that can dump self-modifying-code.

  • Hekate: Winsock inspection/filtering/modifying.

  • Capstone.js-bookmarklet: Disassemble from webpage with bookmarklet.

  • Qiew: Hex/File format viewer.

  • ProDBG: A debugger supports a variety of targets and operating systems.

  • Pageant_xkeys: Extract unencrypted SSH keys from Pageant memory dump.

  • Crumble: A cross-platform commandline tool to disassemble PE files.

  • Trap-syscalls: Library for in-process tracing and/or hooking of system calls.

  • Thunderstrike: EFI bootkits for Apple MacBooks.

  • rr-dataflow: A GDB plugin to trace back to the origin of data in Mozilla's rr.

  • ropnroll: OSX exploitation helper library.

  • StfuSIP: System Integrity Protection (SIP) bypass for OSX 10.11.1.

  • DirectX9Hook: Runtime DirectX9 Hooking.

  • fREedom: Extracting disassembly information from executables for Binnavi.

  • Trap-syscalls: Library for in-process tracing/hooking of system calls (on Linux/x86-64)

  • PyAna: Analyzing Windows shellcode.

  • CapFunc: IDA Python Script that Disassembles Functions with Capstone.

  • MyROP: ROP tool for ARM.

  • hsdecomp: A decompiler for GHC-compiled Haskell.

  • WWCD: What Would Capstone Decode - IDA plugin implementing a Capstone powered IDA view.

  • PythonForWindows: codebase to make it easier to work with Windows & native execution.

  • MacDBG: Simple easy to use C & Python debugging framework for Mac OS X.

  • VxPwn: A fuzzer for VxWorks.

  • CHDK: Canon Hack Development Kit.

  • Triton: Dynamic binary analysis framework.

  • Shellsploit: New generation exploit development kit.

  • ADBI: Android Dynamic Binary Instrumentation tool for tracing Android native layer.

  • Redress-Disassembler: Cross platform binary disassembler written in Java.

  • TraceGrind: Execution tracing module for Valgrind.

  • AppleALC: Native OS X HD audio for unofficially-supported codecs.

  • ArmRoper: ARM ROP chain gaget searcher.

  • EhTrace: A tool for tracing execution of binaries on Windows.

  • Ded: MSDOS executable disassembler.

  • Eli.Decode: Decode obfuscated shellcodes.

  • Awasm: An AIMGP (Automatic Induction of Machine code by Genetic Programming) engine.

  • Voltron: A hacky debugger UI for hackers.

  • fence_counter: QSIM based fence counter.

  • Lisa.py: An Exploit Dev Swiss Army Knife.

  • DdiMon: Monitoring and controlling kernel API calls with stealth breakpoint using EPT.

  • UniHook: Intercept arbitrary functions at run-time, without knowing their typedefs.

  • Redream: SEGA Dreamcast emulator.

  • Erebus: A reverse engineering tool suite for Linux.

  • Avery: x86-64 kernel in Rust.

  • Pyflirt: Map file generator for Intel X86 binary based on flirt signature.

  • dispatch: Programmatic disassembly and patching.

  • cypher: Simple tool to automate adding shellcode to PE files.

  • Cemu: Cheap EMUlator based on Keystone and Unicorn engines.

  • ROPMEMU: Analyze ROP-based exploitation.

  • AssemblyBot: Telegram bot for assembling and disassembling on-the-go.

  • Demovfuscator: Deobfuscator for movfuscated binaries.

  • Ropf: Gadget displacement on top of IPR (In-Place Randomization) against Code Reuse Attack.

  • Cardinal: Similarity Analysis to Defeat Malware Compiler Variations.

  • dynStruct: Reverse engineering tool for structure recovering and memory usage analysis based on DynamoRIO.

  • iokit-dumper-arm64: Statically reconstructing the IOKit classes hierarchy from iOS kernelcache dumps.

  • Spedi: Speculative disassembly, CFG recovery, and call-graph recovery from stripped binaries.

  • Dash: A simple web based tool for working with assembly language.

  • Qsim: Full system emulator front-end to a multi-core timing model.

  • Windows_Debugger: A simple Windows x86-32 debugger.

  • MongoDB disasm: Interactive Disassembler with GUI (Web-based).

  • WTFJH: iOS Security Runtime Inspection.

  • Xenpwn: A toolkit for memory access tracing using hardware-assisted virtualization.

  • Rebours: A framework for control-flow recovery in binary programs.

  • Patchkit: A powerful binary patching toolkit.

  • CFFCapstone: Assembler extension to CFF Explorer.

  • FirmInsight: Automatic collect firmwares from internet and extract info.

  • UniAna: Analysis PE file or Shellcode (Only Windows x86).

  • pymetamorph: Metamorphic engine in Python for Windows executables.

  • WCC: The Witchcraft Compiler Collection.

  • Patcherex: Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.

  • Cgrex: Targeted patcher for CGC binaries - using in the Cyber Grand Challenge.

  • C-flat: Control Flow Attestation for Embedded Systems Software.

  • W-SWFIT: x64 Windows Software Fault Injection Tool.

  • DynInst Tools: Tools built using Dyninst or Dyninst component libraries.

  • PeiBackdoor: PEI stage backdoor for UEFI compatible firmware.

  • CaptainHook: x86/x64 hook environment.

  • Ropstone: A basic ROP/gadget finder.

  • Labeless: Labels/Comments synchronization between IDA PRO and debugger backend (OllyDbg, x64dbg).

  • KlareDbg: Kernel debugger using Timeless Debugging method.

  • Ponce: IDA Pro-based symbolic execution & taint analysis engine.

  • Relyze: Interactive Software Analysis.

  • Shellsploit-library: Exploit development library for python users.

  • asm_buddy: Small script to assemble/disassemble from CLI.

  • Rgat: Instruction trace visualisation tool for dynamic program analysis.

  • Shellbug: Basic command-line, text-based, shellcode debugger.

  • Cheat Happens: CoSMOS Memory Scanner and Gamehacking Tool.

  • SimpleDpack: Windows PE packer.

  • EasyROP: A Python tool to generate ROP chains.

  • Nemezisv3: A GUI tool to convert hex-string to assembly and vice versa.

  • Stoneb0t: IRC bot providing assemble / disassemble for various architectures.

  • Rop-chainer: Generates return-oriented exploits for ELF binaries.

  • Wdbdbg: Python WDB RPC monitor for X86 targets on VxWorks 5.x/6.x.

  • kHypervisor: Light-weight nested Virtual Machine Monitor for Windows x64.

  • RePEconstruct: Automatically unpacking a Windows binary & rebuild its import address table.

  • DirEngine: Disassembly Intermediate Representation Engine.

  • Wag: WebAssembly compiler implemented in Go.

  • Fuzzemu: Instruction emulator for the Cortex-M3 ARM.

  • IDASec: IDA plugin for reverse-engineering and dynamic interactions with the Binsec platform.

  • Satt: Software Analyze Trace using Intel Processor Trace.

  • PShape: Practical Support for Half-Automated Program Exploitation.

  • PowerShell Suite: A collection of PowerShell utilities.

  • Nougat: ART-Extension for Android Nougat.

  • instruction_set_research: Analyse the instruction set distribution on malicicous PE files.

  • VulcanoIO: Open Source Cluster IOTs for Reverse Engineering Malware.

  • Proctal: Manipulates the address space of a running program on Linux.

  • Lazy Office Analyzer: Analyze Microsoft Office docs.

  • FRIEND: Flexible Register/Instruction Extender aNd Documentation.

  • Synthir: IR Transformation Synthesis for Assembly Instructions.

  • Panda: Platform for Architecture-Neutral Dynamic Analysis.

  • Alfredworkflow-Capkeystone: Alfred Workflow to convert hex string to assembly and vice versa.

  • Pydbg: A pure-python win32 debugger interface.

  • Trace: System tracer implementation in Rust.

  • Chiasm-shell: Python-based interactive assembler/disassembler CLI.

  • inVtero: Find/Extract processes, hypervisors in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques.

  • PEDetour: Modify Portable Executable file to hook its export functions.

  • Paradise: x86/x86-64 hooking library.

  • Dithumb: Minimal ARM/Thumb linear sweep disassembler similar to objdump.

  • ARM-Tracer: Trace Log Generation (CLI) on a target device or emulator.

  • LunaLUA: LunaDLL with LUA, a free extension for SMBX game engine.

  • GadgetWrecker: A conceptually simple, experimental defence against ROP exploits.

  • ftrace: A ltrace/strace-like but just to log calls to local functions.

  • Nucleus: Compiler-Agnostic Function Detection in Binaries.

  • TSXCFI: Prototye Implementation for TSX-based CFI Enforcement.

  • Stonesh: Command interpreter for Keystone and Capstone designed to be an alternative to ks/cstool.

  • Ratone: A console for assemble/disassemble code using Capstone/Keystone.

  • Bootcode_parser: Offline analysis of the boot records used by BIOS based systems (UEFI is not supported).

  • Fido: Teaching old shellcode new tricks.

  • Utimaco: Tools for reverse engineering the Utimaco Firmware.

  • Grap: Define and match graph patterns within binaries.

  • Nymaim-tools: A set of tools to analyze & track Nymaim trojan.

  • Guestrace: System call tracing tool based on Xen altp2m.

  • ExceptionDetector: Exception detector for Win32 programs.

  • Online Assembler & Disassembler: Online Assembler and Disassembler.

  • Unicorn.JS demo: Demo of Unicorn emulator in JavaScript.

  • Executable Image Parser: A pure-Java, concurrent friendly library for parsing executable files of a variety of formats.

  • Yara-sign-tool: A tool to generate yara signatures from function blocks.

  • ClassicOffensive: Game Classic Offensive mod.

  • Bin-analysis: Ruby module containing various utilities for binary analysis.

  • Syzygy: Syzygy Transformation Toolchain.

  • pointer-chain-reversal: Trace pointer access in Windows C++ applications.

  • Disassembler: Simple disassembler in Go with DWARF support.

  • Bre: Go-based tools for binaries reverse engineering.

  • Indika: A blanket execution/min hash semantic hash tool for binary function identification.

  • Syscall-Monitor: A system monitor program (like Sysinternal's Process Monitor) using Intel VT-X/EPT for Windows7+.

  • Piglab: Tooling and test harness for Snort signature/plugin development.

  • X86-analysis: Static analysis tools for x86 assembly.

  • iOSKextDump: Dump Kext information from iOS kernel cache.

  • Lilu: Arbitrary KEXT and process patching on MacOS.

  • x86-64-pe-emu: AMD64 Windows PE Emulator in Python.

  • AsmBot: Slack bot to assemble and disassemble using Capstone and Keystone.

  • Kcapys: Patch all calls to a function ELF file with NOPs.

  • Maclook4ref: Quickly find references to the specified Immediate number, or find the function call of specifies offset, and generate C++ functions call backtrace.

  • Reassemble: Re-Assembler utility for reverse engineering.

  • cgPwn: Cyber Grand Pwnage Box.

  • WhileDetect: Detect while(True) loop in a given binary.

  • Shellcode: x86/x86-64 shellcodes for Windows, Mac OSX, Linux, BSD & Solaris.

  • BranchMonitoringProject: A Branch Trace Store (BTS) monitor-based solution for process monitoring.

  • ioskextdump_32: Dump Kext information from 32bit iOS kernel cache.

  • mackextdump: Dump Kext information from MacOS kernel.

  • unitracer: Windows API tracer for malware.

  • pwning-tools: A small library that help CTFer quickly write payload.

  • cache-leak-detector: Detect instruction cache leaks in modular exponentiation software.

  • Dbg: A Linux debugger.

  • kcshell: Interactive assembly/disassembly shell for various architectures.

  • Bt: Binary toolkit.

  • Kernel_integrity: Kernel Integrity Check for Virtual Machine.

  • AsmHelper: A MacOS tool to help convert machine code to assembly and vice versa.

  • UniversalRop: Small tool for generating ropchains using Unicorn and Z3.

  • Manticore: Dynamic binary analysis tool.

  • Bootloader instrumentation suite: Bootloader research tools.

  • Crop: C-style language ROP Compiler for CFI-hardened system attacks.

  • Symexec: Basic x86 Symbolic Execution for educational purposes.

  • Memvis: Tool for interfacing with ELF files.

  • PEinfo: Passive Windows Portable Executable file information parser without any external dependencies.

  • syscall_intercept: System-call intercepting library.

  • Troll: C-language source-level debugger for ARM Cortex-M systems.

  • Vino: Binary instrumentation tool for Linux.

  • Falcon: Binary Static Analysis Library in Rust.

  • JSRT: Javascript Runtime for Windows, based on Chakra.

  • HyperDbg: Nested-Virtualization based debugger for debugging Hypervisor / Virtual Monitor Machine (VMMs).

  • open-source-machlib: An open source equivalent of machlib.

  • Ganxo: Opensource API hooking framework.

  • Seb: Scenario Executor for Binaries.

  • Mlib: Your bag of handy codes for malware researchers.

  • qemu-plugins-tutorial: Tutorial to write qemu plugins.

  • Egghatch: Shellcode identification & formatting.

  • AroeA: IDA script to extract stack strings + simple deobfuscate.

  • postmortem: A tiny GDB frontend.

  • RenHook: An open-source x64 hooking library for Windows.

  • Avatar2: A target orchestration framework with focus on dynamic analysis of embedded device firmware.

  • Vegvisir: A browser based GUI for LLDB debugger.

  • STAN: STAN is a sTAtic aNalyser.

  • Hfm: Hypervisor-base File Monitoring: monitoring file-related activities in VMs on XEN hypervisor.

  • PokerubyDiff: A web-based diff client to assist with decompiling pokeruby.

  • Pythem: Multi-purpose Pentest framework.

  • Holodec: Open source decompiler for x86/x86-64 binaries.

  • Pybag: CPython module for Windbg's DbgEng plus additional wrappers.

  • LuaQemu: QEMU-based framework exposing several of QEMU-internal APIs to a LuaJIT core injected into QEMU itself.

  • python-idb: Pure Python parser and analyzer for IDA Pro database files (.idb).

  • Cisol: Translator from asm to C, but not decompiler. Something between compiler and decompiler.

  • Pyrebox: Python scriptable Reverse Engineering sandbox.

  • Memory checker: Detect invalid memory access and memory leak.

  • Bbtrace: Basic block trace for DynamoRio.

  • Sandsifter: X86 processor fuzzer.

  • Retools: a reverse engineering toolkit for normies.

  • Bin2LLVM: A binary to LLVM translator.

  • PyGDB: Debugger capable of debugging binary programs with DWARF-2 debug info.

  • kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels.

  • Nemubot: A smart and modulable IRC bot.

  • Zzpp: A cute hook framework.

  • Pktsend: Tiny packet sender. User can craft IP packet flexibly.

  • HopperDos: 16 bit Intel X86 and DOS executables support for Hopper Disassempler.

  • FunctionScan: Find function boundary and recognize library function.

  • CageTheUnicorn: Debugging/emulating environment for Switch code.

  • disassemble.rs: A Rust framework for static analysis.

  • SEH_Fuzzer: A fuzzer for Windows SEH buffer overflow.

  • Asemu: 32-bit x86 emulator using ncurses and Capstone/Keystone/Unicorn.

  • Binary Ninja: A reversing platform.

  • ReilEx: Symbolic execution engine using REIL (Reverse Engineering Intermediate Language).

  • Pwntools-Ruby: Pwntools on Ruby.

  • CircuitBreaker: Nintendo Switch hacking toolkit.

  • KLisp: Lisp compiler.

  • HookLib: A small and simple header-only hooking library for x86/x64 architecture.

  • pdata_check: Identify unusual runtimes based on the PDATA section & the last instruction of the runtime function.

  • Sickle: A shellcode development toolkit.

  • ida_ea: A set of exploitation/reversing aids for IDA.

  • HookZz: A hook framework for Arm/Arm64/iOS/Android.

  • Qemu: A generic and open source machine emulator and virtualizer.

  • Andrax: Andrax mobile pentest.

  • Bloaty: Bloaty McBloatface: a size profiler for binaries.

  • Cyann: PoC Nanomite packer for PE32/PE32++.

  • Grap: Define and match graph patterns within binaries.

  • Dispar: Disassemling binary parser.

  • PreventingROPattacks: A compiler pass running on the Assembly code to prevent Return-Oriented-Programming attacks.

  • Minijit: A naive, educational x86-64 JIT-compiler written from scratch in C++ and Python.

  • Sonare: An interactive disassembler for reverse engineering.

  • OSSPolice: Identifying Open-Source License Violation and 1-day Security Risk at Large Scale.

  • Shellsploit-Library: Exploit development library for Python users.

  • Shellen: Interactive shellcoding environment to easily craft shellcodes.

  • Dyntrace: Dynamic tracing in Linux using fast tracepoints.

  • Psr: Pointer Sequence Reverser - see how Windows C++ application accesses a particular data member or object.

  • Syntia: Synthesizing the Semantics of Obfuscated Code.

  • JHEngine: Simple MemoryEditor.

  • CAFA: Checksum-Aware Fuzzing Assistant for More Coverage.

  • Retdec: Retargetable machine-code decompiler based on LLVM.

  • Capstone2LLVMIR: Library for Capstone instruction to LLVM IR translation.

  • Capstone-dumper: Utility for dumping all the information Capstone has on given instructions.

  • Capstool: Set of functions that can be used to do basic static analysis of x86/x64 instructions.

  • PEpatch: A hacky tool to patch PE binaries.

  • KrkrExtract: A tool to extract and pack Krkr2 and Krkrz's XP3 files.

  • 3dstool: An all-in-one tool for extracting/creating 3DS ROMs.

  • ios_mips_gdb: CISCO Mips debugger.

  • ScratchABit: Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API.

  • Owl: ROP-Gadget finder in Rust.

  • JuniEmu: Emulator interface for ARM 32bit.

  • ecos_gdb: A debugger written in assembly to allow serial and tcp based debugging of ECOS firmware.

  • Multiverse: A static binary rewriter that does not use heuristics.

  • Ftrace: A simple function call tracer.

  • Ltrace: A simple library call tracer.

  • ARP-Rootkit: An open source rootkit for the Linux Kernel to develop new ways of infection/detection.

  • bitblaze_trace: A Python library to parse Bitblaze traces.

  • gbadisasm: Game Boy Advance disassembler.

  • Mega: ELF binary obfuscator.

  • Mutator: An experimental suite of tools aimed at analysis and automation of C/C++ code development.

  • Dbghlpr: It provides various functions useful for debugging using Windbg.

  • Anomaly Guard: Malware Detection by Memory Baselining.

  • Vulnscan: A binary vunerability scanner for binaries.

  • Pimp my ride: Multi-architecture CPU Emulator.

  • PTfuzzer: Greybox fuzzer to fuzz any binary-only software.

  • CAFA: A Checksum-Aware Fuzzing Assistant For More Coverage.

  • Webkit: A fast, open source web browser engine.

  • Extended APIs: Intel's VT-x / VT-d APIs for the Bareflank hypervisor.

  • Fuzzle: A stateful fuzzing engine.

  • Fyvm Disassembler: IDAPython scripts for devirtualization/disassembly FinSpy VM.

  • Mapbox-GL-Android: A library based on Mapbox GL Native for embedding interactive map into Android.

  • bin2vex: Convert binary to VEX IR using the C interface provided by Pyvex.

  • Crave: Framework to automatically test and explore the capabilities of generic AV engines.

  • Memory-Analyzer: A loadable dll intended to track memory changes and dynamically emplaced "JMP" in the host executable.

  • Binja-secret: Binary Ninja plugin that encapsulate Frida, Unicorn, Capstone and Keystone.

  • GO disassembler: A lightweight ELF disassembler written in GO.

  • dc-lang: A toy programming language + tracing JIT.

  • ida-embed-arch-disasm: Allows IDA PRO to disassemble x86-64 code (WOW64) in 32-bit database.

  • Hyara: Yara rule making tool (IDA plugin).

  • SMDA: Minimalist recursive disassembler library optimized for accurate CFG recovery from memory dumps.

  • Deen: Generic data encoding/decoding applition built with PyQt5.

  • PinCFGReconstructor: Instruction tracing for complext programs.

  • dc-lang: A toy programming language + tracing JIT.

  • Golf: Parser for ELF file written in Golang.

  • TaintGrind: A taint-tracking plugin for the Valgrind memory checking tool.

  • Frick: The first debugger built on top of Frida.

  • Emufuzz: libFuzzer + Unicorn + Capstone.

  • REBot: A Discord bot for reverse engineers and exploit developers.

  • Delf: An ELF dump script written in Python.

  • One gadget lib: Python library to find one-gadget to invoke "/bin/sh".

  • vtMal: Malware Sandbox Emulation in Python @ HITCON 2018.

  • Rosenbridge: Hardware backdoors in x86 CPUs.

  • EnVisen: ROP Entropy Visualizer.

  • Nemu: Modern Hypervisor for the Cloud.

  • Android-Disassembler: Disassembler for Android.

  • Google CTF: Google CTF.

  • LinDbg: Linux clone of Windbg.

  • libcpu: x86 Dynamic Binary Translator Library.

  • Dwarf: GUI for Android revere engineering.

  • Stonework: Pebble emulator iOS and watchOS.

  • VmwareHardenedLoader: Anti anti-VM for VMWare.

  • libelfmaster: Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools.

  • arme: ARM2ARM recompiler for melonds.

  • Lojax UEFI rootkit checker: test if your system is vulnerable to world's first UEFI rootkit attack.

  • Twopy: A Python JIT compiler.

  • Boomerang: Boomerang Decompiler.

  • GTIRB pprinter: Pretty printer from GTIRB to assembly code.

  • InspectELF: ELF Inspection library finding compile-time gcc security switches.

  • Unicorn PE: Unicorn based emulator for Windows PE files.

  • Vulture: Binary Static Analysis Library in Rust.

  • TaintGrind: A taint-tracking plugin for the Valgrind memory checking tool.

  • Binsequencer: A script designed to find a common pattern of bytes within a set of samples and generate a YARA rule.

  • Vmware Hardened Loader: Vmware Hardened VM detection mitigation loader (anti anti-vm).

  • Janus: Binary modifier.

  • crash-unscrambler: Analyzes crash reports and crashed processes to recover as much information as possible about the data and execution leading up to the crash.

  • idenLib: Library Function Identification plugin for IDA Pro.

  • Rainbow: Easy scripting interface to emulate embedded binaries for tracing.

  • Binarydroid: Basic disassembler for Android.

  • GTIRB pprinter: Pretty printer from GTIRB to assembly code.

  • Saferwall: A hackable malware sandbox for the 21st Century.

  • Yara signator: Automatic YARA rule generation for Malpedia.

  • Droidguard-VM: Java implementation of DroidGuard virtual machine.

  • Zephyrus: A sophisticated memory library used to dynamically hook and edit memory, allowing pre-compiled code to be rewritten.

  • xdvre: A disassembler/debugger that works based on the extension plugin.

  • elf-mlsploit: Mlsploit module for perturbing ELF binary (direct call to indirect call).

  • Ddisasm: Datalog driven disassembly of binary executables.

  • mkYARA: Generating YARA rules based on binary code.

  • unprotect: A Python tool for parsing PE malware and extract evasion techniques.

  • DJI firmware tools: Tools for handling firmwares of DJI products, with focus on quadcopters.

  • bu6pwn: PWN Framework.

  • Inspector gadget: Discovers ROP gadgets & chains them together.

  • Corana: A Dynamic Symbolic Execution Engine for ARM Cortex-M.

  • uftrace: Function (graph) tracer for user-space.

  • flara: A web based Yara generator.

  • dhop: Discover Heap OPeration.

  • DeSW: Just a simple De-switcher.

  • Ensemble DL Ransomware Detector: A Deep Learning ensemble that classifies Windows executable files as either benign, ransomware, or other malware.

  • RansomwareDetector: Attempts to detect ransomware based on properties of of a binary.

  • RopDissector: A framework for static analysis of ROP exploits and programs.

  • TriggerBug: Fast-Symbolic-Emulation-Engine.

  • Delinker: Unlinks a binary executable to get back a set of .o object files for further transformation and re-linking.

  • YaraSafe: SAFE embeddings to match functions in Yara.

  • Patcher: Lightweight library to facilitate creating & tracking function hooks or other arbitrary memory patches.

  • CARE: Compiler-Assisted Recovery mechanism for soft failures, which are caused by transient faults.

  • CRNN-malware-detector: Convolutional Recurrent Neural Net based malware detection model.

  • Razzer: A Kernel fuzzer focusing on race bugs.

  • Execution trace viewer: Tool for viewing and analyzing execution traces.

  • Zofi: The Zero Overhead Fault Injector project.

  • elf-dissector: Tools for inspecting, analyzing and optimizing ELF files.

  • RetroWrite: Retrofitting compiler passes though binary rewriting.

  • TaintInduce: Automate the creation of taint propagation rules for unknown instruction sets.

  • malduck: Malduck is your ducky companion in malware analysis journeys.

  • UnicoreFuzz: Fuzzing the Kernel Using AFL-Unicorn.

  • UniTaint: PoC for a taint based attack on VMProtect.

  • macsim: A heterogeneous architecture timing model simulator.

  • libhooker: Modular binary injection framework.

  • disasm.ninja: A realtime assembler/disassembler.

  • washingtondc: Open-source Sega Dreamcast emulator.

  • Router Exploit Shovel: Automated Application Generation for Stack Overflow Types on Wireless Routers.

  • tbrop: Taint-based ROP tool.

  • mobo: Little hypervisor project using KVM.

  • Window Function Tracer: Window Executable file Function tracer using Debugging API.

  • VBox Monitor: Monitoring/Debug tool for VirtualBox.

  • Unicorn-Bios: Basic BIOS emulator for Unicorn Engine.

  • yara-sig-generator: Create Yara signature from binary address.

  • Binee: Binary emulation environment.

  • Xendbg: A feature-complete reference implementation of a modern Xen VMI debugger.

  • Mupen64Plus: A cross-platform plugin-based N64 emulator.

  • Razor: A Framework for Post-deployment Software Debloating.

  • AFLplusplus: AFL fuzzer with community patches.

  • DeviceMon: VT-based PCI device monitor (SPI).

  • binarypinja: Create datasets for machine learning programs in a NLP (natural language processing).

  • TriggerBug: Fast-Symbolic-Emulation-Engine.

  • Maat: Open-source Dynamic Symbolic Execution framework used for Binary Analysis.

  • Packman deobfuscator: League-of-Legends anti-cheat code deobfuscator.

  • aah: Arm64 architecture handler.

  • Volatility3: The Volatile memory extraction framework.

  • Windbgtool: WinDbg Toolbox package.

  • dsdump: An improved nm + Objective-C & Swift class-dump.

  • zdb: 64 bit ELF debugger for reverse engineering.

  • QuickPatch: GDB plugin for patching ELF file.

  • S(gx)ELF-respect: Privacy-preserving TEE prototype on a service-oriented environment.

  • EFI DXE Emulator: EFI DXE Emulator and Interactive Debugger.

  • VTIL Core: Virtual-machine Translation Intermediate Language.

  • Kernel fuzzer for Xen: VMI Kernel Fuzzer for Xen Project: VM forking, VMI & AFL integration demo.

  • Frankenstein: Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging.

  • approxis-groundtruth: Generates a ground truth map of binary disassembly.

  • OBIN: An educational elf parser and simple binary analysis tool.

  • AtX: A tool to help port simple ARM32 elf binaries to X86_64 binaries.

  • e9patch: A Powerful Static Binary Rewriter.

  • specrop: Speculative exploitation of ROP chains.

  • BlindSide: BlindSide allows attackers to “hack blind” in the Spectre era.

  • JOP ROCKET: The Jump-oriented Programming Reversing Open Cyber Knowledge Expert Tool.

  • XPEViewer: PE file viewer/editor for Windows, Linux and MacOS.

  • XELFViewer: ELF file viewer/editor for Windows, Linux and MacOS.

  • XMachOViewer: Mach-O file viewer/editor for Windows, Linux and MacOS.

  • speakeasy: A portable, modular, binary emulator designed to emulate Windows kernel and user mode malware.

  • XAPKDetector: APK/DEX detector for Windows, Linux and MacOS.

  • Detect It Easy: Program for determining types of files for Windows, Linux and MacOS.


In addition, Capstone is available in the following Operating System distributions (listed in no particular order)

  • Gentoo: Gentoo Linux distribution.

  • Fedora: Fedora Linux distribution.

  • Arch: Arch Linux distribution.

  • Ubuntu: Ubuntu Linux distribution.

  • Debian: Debian Linux distribution.

  • OpenBSD: Security-oriented, multi-platform 4.4BSD-based UNIX-like operating system.

  • FreeBSD: Free Unix-like operating system descended from AT&T Unix via BSDS.

  • NetBSD: Free, fast, secure, and highly portable Unix-like Open Source operating system.

  • Pentoo: Gentoo-based Linux distribution for pentesters.

  • Kali Linux: Rebirth BackTrack, the Penetration testing distribution.

  • BlackArch: Arch-based GNU/Linux distribution for pentesters and security researchers.

  • NixOS: The Purely Functional Linux Distribution.

  • ArchAssault : A fully customizable pentest distribution done the Arch Linux way.

  • DragonFly BSD: Free Unix-like operating system.

  • NetHunter: Android penetration testing platform for Nexus devices.

  • Void Linux: A Linux distro based on the xbps packaging system.

  • REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware.

Please let us know, so we can put you in the list above, if you are also using Capstone, either:

  • for your products.

  • for your training classes.

  • for your works.