unicorn-engine/unicorn

★ 8,954CAudience · researcherComplexity · 4/5LicenseSetup · moderate

Mindmap

mindmap
  root((repo))
    What it does
      CPU emulation
      Instruction tracing
      Memory hooks
    Supported CPUs
      ARM and ARM64
      x86 and x64
      MIPS RISC-V SPARC
    Use cases
      Malware analysis
      Firmware inspection
      Security research
    Bindings
      Python
      Go Rust Java Ruby

mindmap root((repo)) What it does CPU emulation Instruction tracing Memory hooks Supported CPUs ARM and ARM64 x86 and x64 MIPS RISC-V SPARC Use cases Malware analysis Firmware inspection Security research Bindings Python Go Rust Java Ruby

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Safely run and analyze a suspicious binary or firmware snippet without booting real hardware or risking your own machine.

USE CASE 2

Attach callbacks to specific memory addresses in an unknown binary to trace exactly what it does at each step.

USE CASE 3

Build a malware analysis tool that can emulate multiple CPU architectures using Python bindings.

USE CASE 4

Study how an embedded device firmware behaves by emulating the target CPU type on your laptop.

Tech stack

CPythonGoRustJavaRuby

Getting it running

Difficulty · moderate Time to first run · 30min

Python bindings install via pip, building from C source for other languages requires a C compiler.

GPLv2, free to use and modify, but if you distribute software that includes this code you must release your source code under the same license.

In plain English

Unicorn is a CPU emulation framework, meaning it lets software pretend to be a processor and execute code written for a different type of chip. It is used primarily by security researchers and reverse engineers who need to run or inspect small pieces of machine code in a controlled environment without booting an actual device or operating system. The framework supports a wide range of processor types, including ARM, ARM64, x86 (in 16, 32, and 64-bit modes), MIPS, PowerPC, RISC-V, SPARC, and several others. This makes it useful when analyzing firmware or binary files that target hardware you do not physically own. It is built on top of QEMU, an established open-source machine emulator, but focuses specifically on CPU-level emulation rather than full system emulation. Unicorn is written in C and provides bindings for a long list of other languages, including Python, Go, Rust, Java, Ruby, and many more, so it can be called from whatever language a researcher or developer prefers. It runs on Windows, Linux, macOS, and several other operating systems. The project uses just-in-time compilation internally to keep execution fast. One notable feature is fine-grained instrumentation: you can attach callbacks to specific memory addresses or instruction types, which lets you observe exactly what a piece of code does at each step. This is a common need when analyzing malware or studying how unknown binaries behave. The project is distributed under the GPLv2 license and is actively looking for contributors. Additional documentation for compiling and using the library lives in the docs folder rather than the main README.

Copy-paste prompts

Prompt 1

Show me a Python example using the Unicorn engine that emulates a small x86-64 shellcode snippet, reads the register values after execution, and prints what changed.

Prompt 2

How do I use Unicorn to set a memory hook that fires every time a specific address is read or written during emulation? Show a Python example.

Prompt 3

I have an ARM firmware binary I want to analyze. Walk me through loading it into Unicorn, mapping the correct memory regions, and running a function from a known offset.

Prompt 4

What is the difference between Unicorn and QEMU for emulating firmware? When should I choose Unicorn over running a full QEMU system emulation?

Open on GitHub → Explain another repo

← unicorn-engine on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.