{"id":21349,"library":"flare-capa","title":"FLARE CAPA","description":"The FLARE team's open-source tool to identify capabilities in executable files. Version 9.4.0 supports Python >=3.10. CAPA detects capabilities in PE, ELF, and shellcode files. Released regularly with minor version bumps.","status":"active","version":"9.4.0","language":"python","source_language":"en","source_url":"https://github.com/mandiant/capa.git","tags":["malware analysis","reverse engineering","capabilities","binary analysis"],"install":[{"cmd":"pip install flare-capa","lang":"bash","label":"PyPI install"}],"dependencies":[{"reason":"Required for analysis of executable formats","package":"vivisect","optional":false}],"imports":[{"note":"Top-level import does not expose Capabilities class","wrong":"import capa","symbol":"Capabilities","correct":"from capa.main import Capabilities"},{"note":"get_meta is in the engine submodule","wrong":"from capa import get_meta","symbol":"get_meta","correct":"from capa.engine import get_meta"}],"quickstart":{"code":"import os\nimport json\nfrom capa.main import Capabilities\nfrom capa.engine import get_meta\n\nrules_path = os.environ.get('CAPA_RULES_PATH', '/path/to/rules')\nwith open('sample.exe', 'rb') as f:\n    buf = f.read()\ncapa = Capabilities.get_capabilities(buf, rtype='pe', backend='vivisect', rulesdir=rules_path, signatures='auto')\nmeta = get_meta(buf)\nprint(json.dumps(capa, indent=2))\nprint(json.dumps(meta, indent=2))","lang":"python","description":"Basic usage to identify capabilities in an executable file. Ensure rules are extracted or downloaded separately."},"warnings":[{"fix":"Download rules from https://github.com/mandiant/capa-rules and set CAPA_RULES_PATH environment variable or pass --rules argument.","message":"In version 9.0+ the rules directory must be provided explicitly; CAPA no longer bundles rules in the package.","severity":"breaking","affected_versions":">=9.0.0"},{"fix":"Use Capabilities.get_capabilities() instead of calling capa from command line.","message":"The 'capa' CLI tool is deprecated in favor of the Python API. Direct use of capa.main may change.","severity":"deprecated","affected_versions":">=9.0.0"},{"fix":"If on macOS, consider using a Docker container with Linux.","message":"CAPA requires vivisect as a backend, which is only available on Windows and Linux. macOS support is limited.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"pip install vivisect (Windows/Linux only). For macOS, use Docker.","cause":"vivisect is not installed or not compatible with the platform.","error":"ModuleNotFoundError: No module named 'vivisect'"},{"fix":"Download capa-rules and set CAPA_RULES_PATH or pass the 'rules' parameter.","cause":"CAPA rules directory not provided or not found.","error":"FileNotFoundError: [Errno 2] No such file or directory: 'rules/...'"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}