capstone

Capstone is a library that reads compiled binary code and tells you what CPU instructions it contains. This process is called disassembly: you feed it raw bytes from an executable file or memory, and it gives back human-readable instruction names, operands, and detailed metadata about each operation. It is written in C and built for use by security researchers, malware analysts, and developers who need to inspect programs at the machine instruction level.

The library supports a very wide range of processor types, including ARM, ARM64, x86 (32-bit and 64-bit), MIPS, PowerPC, SPARC, RISC-V, LoongArch, M68K, and about a dozen more. This breadth means the same API works regardless of what kind of binary you are analyzing. Beyond just naming each instruction, Capstone can also tell you which CPU registers an instruction reads from and writes to, which is useful when tracing how data flows through a program.

The core is written in C to keep it fast and portable. Bindings are available for a long list of other languages including Python, Ruby, Go, Rust, Java, C#, Node.js, Haskell, and others, either bundled in the main repository or contributed by the community. It runs on all major operating systems, including Windows, macOS, Linux, iOS, Android, and several BSD variants. It is also designed to be embedded inside firmware or OS kernels where a full runtime environment may not be available.

Note that the master branch visible here is deprecated. Active development happens on the next branch of the same repository, and that is where you should start if you are setting it up for the first time. The project is released under the BSD open-source license.