DECAF (Dynamic Executable Code Analysis Framework)
A dynamic binary analysis framework based on QEMU for whole-system taint analysis and security research.
What is DECAF (Dynamic Executable Code Analysis Framework)?
DECAF (Dynamic Executable Code Analysis Framework) is an open-source binary analysis platform built on QEMU that enables whole-system dynamic taint analysis and malware inspection. It allows security researchers to precisely track data flow across CPU registers and memory in virtualized environments, supporting multiple architectures and operating systems. The framework solves the problem of inefficient and platform-specific binary analysis by providing a unified, high-performance tool for security tasks like intrusion detection and malware behavior analysis.
Security researchers, malware analysts, and academic teams working on dynamic binary analysis, taint tracking, or Android malware inspection (via DroidScope). It is particularly suited for those needing cross-platform support and low-overhead instrumentation.
Developers choose DECAF for its platform-agnostic design, precise bit-level tainting, and elastic performance optimizations (DECAF++), which make it one of the fastest whole-system dynamic taint analysis frameworks available. Its event-driven API and transparent instrumentation management reduce plugin development complexity compared to alternatives.
Overview
DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.
Use Cases
Best For
Related Projects
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
