Command line binary analysis tool that identifies capabilities in PE, ELF, .NET, shellcode, and sandbox reports
- Stars6.1k
- Forks703
- Open Issues275
Apache-2.0
- Python
- Vue
- JavaScript
About capa
capa detects capabilities in executable files and reports what a program can do. Run it against PE, ELF, and .NET modules, shellcode, or sandbox reports to surface behaviors such as service installation, HTTP communication, or backdoor-like activity.
It runs from the terminal as a standalone binary, or as a Python library. Rules match static and dynamic evidence, and the -vv flag pinpoints exactly where each supporting feature was found. Dynamic analysis can consume sandbox reports from CAPE, DRAKVUF, and VMRay, and capa Explorer Web shows results in a browser, including a single offline HTML file.
It ships with hundreds of curated rules and plugs into IDA Pro and Ghidra, so reverse engineers and malware analysts can triage samples fast without leaving their disassembler.
Key features
- Detects capabilities in PE, ELF, .NET, shellcode, and sandbox reports
- Reports evidence locations with the -vv flag
- Supports CAPE, DRAKVUF, and VMRay report formats
- Browser-based capa Explorer Web with standalone HTML for offline use
- IDA Pro plugin and Ghidra integration
Details
- First released
- 2020
- Platforms
- Windows · macOS · Linux · CLI
- Deployment
- offline-first
- Output
- Static and dynamic capability detection
- Integrations
- IDA Pro · Ghidra · CAPE
- Rules
- Hundreds of standard capa-rules