<p align="center"><img width="50%" src="https://triton-library.github.io/files/triton2.png"/></p>

Triton is a dynamic binary analysis library. It provides internal components that allow you to build your program analysis tools, automate reverse engineering, perform software verification or just emulate code.

• Dynamic symbolic execution
• Dynamic taint analysis
• AST representation of the x86, x86-64, ARM32, AArch64 and RISC-V 32/64 ISA semantic
• Expressions synthesis
• SMT simplification passes
• Lifting to LLVM as well as Z3 and back
• SMT solver interface to Z3 and Bitwuzla
• C++ and Python API

<p align="center"> <img src="https://triton-library.github.io/files/triton_v09_architecture.svg" width="80%"/></br> <img src="https://triton-library.github.io/files/triton_multi_os.png"/> </p>

As Triton is a kind of a part-time project, please, don't blame us if it is not fully reliable. Open issues or pull requests are always better than trolling =). However, you can follow the development on twitter @qb_triton.

<p align="center"> <a href="https://github.com/JonathanSalwan/Triton/actions/workflows/linux.yml/"> <img src="https://img.shields.io/github/actions/workflow/status/JonathanSalwan/Triton/linux.yml?branch=master&label=Linux&logo=linux&logoColor=white"> </a> &nbsp; <a href="https://github.com/JonathanSalwan/Triton/actions/workflows/osx.yml/"> <img src="https://img.shields.io/github/actions/workflow/status/JonathanSalwan/Triton/osx.yml?branch=master&label=OSX&logo=apple"> </a> &nbsp; <a href="https://github.com/JonathanSalwan/Triton/actions/workflows/vcpkg.yml/"> <img src="https://img.shields.io/github/actions/workflow/status/JonathanSalwan/Triton/vcpkg.yml?branch=master&label=Windows&logo=windows&logoColor=white"> </a> &nbsp; <a href="https://codecov.io/gh/JonathanSalwan/Triton"> <img src="https://codecov.io/gh/JonathanSalwan/Triton/branch/master/graph/badge.svg" alt="Codecov" /> </a> &nbsp; <a href="https://github.com/JonathanSalwan/Triton/releases"> <img src="https://img.shields.io/github/v/release/JonathanSalwan/Triton?logo=github"> </a> &nbsp; <a href="https://github.com/jonathansalwan/Triton/tree/dev-v1.0"> <img src="https://img.shields.io/static/v1?label=dev&message=v1.0&logo=github&color=blue"> </a> &nbsp; <a href="https://twitter.com/qb_triton"> <img src="https://img.shields.io/static/v1?color=1da1f2&label=Follow&message=2K&logo=twitter&logoColor=white&style=square"> </a> </p>

Quick start

• Installation
• Python API
• C++ API
• Python Examples
• They already used Triton

Getting started

from triton import *

>>> # Create the Triton context with a defined architecture
>>> ctx = TritonContext(ARCH.X86_64)

>>> # Define concrete values (optional)
>>> ctx.setConcreteRegisterValue(ctx.registers.rip, 0x40000)

>>> # Symbolize data (optional)
>>> ctx.symbolizeRegister(ctx.registers.rax, 'my_rax')

>>> # Execute instructions
>>> ctx.processing(Instruction(b"\x48\x35\x34\x12\x00\x00")) # xor rax, 0x1234
>>> ctx.processing(Instruction(b"\x48\x89\xc1")) # mov rcx, rax

>>> # Get the symbolic expression
>>> rcx_expr = ctx.getSymbolicRegister(ctx.registers.rcx)
>>> print(rcx_expr)
(define-fun ref!8 () (_ BitVec 64) ref!1) ; MOV operation - 0x40006: mov rcx, rax

>>> # Solve constraint
>>> ctx.getModel(rcx_expr.getAst() == 0xdead)
{0: my_rax:64 = 0xcc99}

>>> # 0xcc99 XOR 0x1234 is indeed equal to 0xdead
>>> hex(0xcc99 ^ 0x1234)
'0xdead'

Install using pip

Triton can be installed using pip:

pip install triton-library

Install from source

Triton relies on the following dependencies:

* libcapstone                >= 5.0.x   https://github.com/capstone-engine/capstone
* libboost      (optional)   >= 1.68
* libpython     (optional)   >= 3.6
* libz3         (optional)   >= 4.6.0   https://github.com/Z3Prover/z3
* libbitwuzla   (optional)   >= 0.4.x   https://github.com/bitwuzla/bitwuzla
* llvm          (optional)   >= 12

Linux and MacOS

$ git clone https://github.com/JonathanSalwan/Triton
$ cd Triton
$ mkdir build ; cd build
$ cmake ..
$ make -j3
$ sudo make install

By default, LLVM and Bitwuzla are not compiled. If you want to enjoy the full power of Triton, the cmake compile is:

$ cmake -DLLVM_INTERFACE=ON -DCMAKE_PREFIX_PATH=$(llvm-config --prefix) -DBITWUZLA_INTERFACE=ON ..

MacOS M1 Note:

In case if you get compilation errors like:

Could NOT find PythonLibs (missing: PYTHON_LIBRARIES PYTHON_INCLUDE_DIRS)

Try to specify PYTHON_EXECUTABLE, PYTHON_LIBRARIES and PYTHON_INCLUDE_DIRS for your specific Python version:

cmake -DCMAKE_INSTALL_PREFIX=/opt/homebrew/ \
      -DPYTHON_EXECUTABLE=/opt/homebrew/bin/python3 \
      -DPYTHON_LIBRARIES=/opt/homebrew/Cellar/python@3.10/3.10.8/Frameworks/Python.framework/Versions/3.10/lib/libpython3.10.dylib \
      -DPYTHON_INCLUDE_DIRS=/opt/homebrew/opt/python@3.10/Frameworks/Python.framework/Versions/3.10/include/python3.10/ \
      ..

This information you can get out from this snippet:

from sysconfig import get_paths
info = get_paths()
print(info)

Python Autocompletion

If Python autocompletion is not working, follow these steps:

1. Execute the script
2. Place the generated triton.pyi file in the same directory as the Triton shared object you want to provide hints for (for example, /usr/lib/python3.13/).

Your IDE must support parsing .pyi files.

Windows

You can use cmake to generate the .sln file of libTriton.

> git clone https://github.com/JonathanSalwan/Triton.git
> cd Triton
> mkdir build
> cd build
> cmake -G "Visual Studio 14 2015 Win64" \
  -DBOOST_ROOT="C:/Users/jonathan/Works/Tools/boost_1_61_0" \
  -DPYTHON_INCLUDE_DIRS="C:/Python36/include" \
  -DPYTHON_LIBRARIES="C:/Python36/libs/python36.lib" \
  -DZ3_INCLUDE_DIRS="C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/include" \
  -DZ3_LIBRARIES="C:/Users/jonathan/Works/Tools/z3-4.6.0-x64-win/bin/libz3.lib" \
  -DCAPSTONE_INCLUDE_DIRS="C:/Users/jonathan/Works/Tools/capstone-5.0.1-win64/include" \
  -DCAPSTONE_LIBRARIES="C:/Users/jonathan/Works/Tools/capstone-5.0.1-win64/capstone.lib" ..

However, if you prefer to directly download the precompiled library, check out our AppVeyor's artefacts. Note that if you use AppVeyor's artefacts, you probably have to install the Visual C++ Redistributable packages for Visual Studio 2012.

Installing from vcpkg

The Triton port in vcpkg is kept up to date by Microsoft team members and community contributors. The url of vcpkg is: https://github.com/Microsoft/vcpkg. You can download and install Triton using the vcpkg dependency manager:

$ git clone https://github.com/Microsoft/vcpkg.git
$ cd vcpkg
$ ./bootstrap-vcpkg.sh  # ./bootstrap-vcpkg.bat for Windows
$ ./vcpkg integrate install
$ ./vcpkg install triton

If the version is out of date, please create an issue or pull request on the vcpkg repository.

Contributors

• Alberto Garcia Illera - Cruise Automation
• Alexey Vishnyakov - ISP RAS
• Black Binary - n/a
• Christian Heitman - Quarkslab
• Daniil Kuts - ISP RAS
• Jessy Campos - n/a
• Matteo F. - n/a
• Pierrick Brunet - Quarkslab
• PixelRick - n/a
• Romain Thomas - Quarkslab
• And many more

They already used Triton

Tools

• Exrop: Automatic ROPChain Generation.
• Pimp: Triton based R2 plugin for concolic execution and total control.
• Ponce: IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
• QSynthesis: Greybox Synthesizer geared for deobfuscation of assembly instructions.
• TritonDSE: Triton-based DSE library with loading and exploration capabilities.
• Titan: Titan is a VMProtect devirtualizer using Triton.

Papers and conference

<ul dir="auto"> <li> <b>Sydr-Fuzz: Continuous Hybrid Fuzzing and Dynamic Analysis for Security Development Lifecycle</b><br /> <b>Talk at</b>: Ivannikov ISP RAS Open Conference, Moscow, Russia, 2022. [<a href="publications/ISPOPEN2022-sydr-fuzz.pdf">paper</a>] [<a href="publications/ISPOPEN2022-slide-sydr-fuzz-vishnyakov.pdf">slide</a>]<br /> <b>Authors</b>: Vishnyakov A., Kuts D., Logunova V., Parygina D., Kobrin E., Savidov G., Fedotov A.<br /> <b>Abstract</b>: <em>Nowadays automated dynamic analysis frameworks for continuous testing are in high demand to ensure software safety and satisfy the security development lifecycle (SDL) requirements. The security bug hunting efficiency of cutting-edge hybrid fuzzing techniques outperforms widely utilized coverage-guided fuzzing. We propose an enhanced dynamic analysis pipeline t