Capstone & LLVM

Capstone framework is based on the MC component of the LLVM compiler infrastructure, which among many stuffs has a disassembly engine inside called MCDisassembler. LLVM even has a tool named llvm-mc that can be used to disassemble input binary.

While Capstone reuses a part of MCDisassembler as its core (with quite a few of changes to adapt to our design), there is a major difference between them. Notably, Capstone is able to do whatever MCDisassembler can, but beyond that our engine can do more & do better in many aspects.

The section below highlights the areas where Capstone shines.

  echo "0x10 0xf1 0x10 0xe7" | llvm-mc -disassemble -arch=arm -mattr=+hwdiv-arm

With all that said, LLVM is an awesome project, which Capstone was born from. However, Capstone is not just LLVM, but offering a lot more because it has been designed & implemented especially for disassembling/reversing to answer the demand of security community.