FLARE CAPA
raw JSON → 9.4.0 verified Mon Apr 27 auth: no python
The FLARE team's open-source tool to identify capabilities in executable files. Version 9.4.0 supports Python >=3.10. CAPA detects capabilities in PE, ELF, and shellcode files. Released regularly with minor version bumps.
pip install flare-capa Common errors
error ModuleNotFoundError: No module named 'vivisect' ↓
cause vivisect is not installed or not compatible with the platform.
fix
pip install vivisect (Windows/Linux only). For macOS, use Docker.
error FileNotFoundError: [Errno 2] No such file or directory: 'rules/...' ↓
cause CAPA rules directory not provided or not found.
fix
Download capa-rules and set CAPA_RULES_PATH or pass the 'rules' parameter.
Warnings
breaking In version 9.0+ the rules directory must be provided explicitly; CAPA no longer bundles rules in the package. ↓
fix Download rules from https://github.com/mandiant/capa-rules and set CAPA_RULES_PATH environment variable or pass --rules argument.
deprecated The 'capa' CLI tool is deprecated in favor of the Python API. Direct use of capa.main may change. ↓
fix Use Capabilities.get_capabilities() instead of calling capa from command line.
gotcha CAPA requires vivisect as a backend, which is only available on Windows and Linux. macOS support is limited. ↓
fix If on macOS, consider using a Docker container with Linux.
Imports
- Capabilities wrong
import capacorrectfrom capa.main import Capabilities - get_meta wrong
from capa import get_metacorrectfrom capa.engine import get_meta
Quickstart
import os
import json
from capa.main import Capabilities
from capa.engine import get_meta
rules_path = os.environ.get('CAPA_RULES_PATH', '/path/to/rules')
with open('sample.exe', 'rb') as f:
buf = f.read()
capa = Capabilities.get_capabilities(buf, rtype='pe', backend='vivisect', rulesdir=rules_path, signatures='auto')
meta = get_meta(buf)
print(json.dumps(capa, indent=2))
print(json.dumps(meta, indent=2))