Skip to content

Ghidra

NSA open-source software reverse engineering framework

JavaGitHubWebsite

Description

Ghidra is a software reverse engineering framework developed by the NSA. It includes a suite of full-featured, high-end software analysis tools for analyzing compiled code on various platforms including Windows, macOS, and Linux.

Installation

BASH 
# Download from https://ghidra-sre.org/
# Requires: Java 17+
sudo apt install openjdk-17-jdk
tar xf ghidra_*.zip && cd ghidra_*
./ghidraRun

Basic Usage

BASH 
# Launch Ghidra
./ghidraRun

# 1. Create new project
# 2. Import binary (File → Import File)
# 3. Double-click binary to open CodeBrowser
# 4. Auto-analyze (Yes when prompted)
# 5. Navigate: functions, strings, imports, exports

# Headless analysis (scripting)
./analyzeHeadless /tmp/project ProjectName -import binary -postScript script.py

Advanced Usage

BASH 
# Ghidra script (Python/Java)
# Automate analysis, find patterns, extract data

# Decompiler
# Window → Decompiler → shows pseudo-C code

# Patch binary
# Right-click instruction → Patch Instruction

# Diffing binaries
# File → Compare With → select second binary

# Extensions
# Useful: ghidra-emotionengine (PS2), Ghidra MIPS, SVD Loader (ARM)

# Export decompiled C code
# File → Export → C/C++ (via Decompiler)

Common Workflows

BASH 
# CTF binary analysis
# 1. Import binary
# 2. Auto-analyze
# 3. Find main() or entry point
# 4. Follow cross-references
# 5. Check strings (Search → For Strings)
# 6. Decompile key functions
# 7. Identify logic / vulnerabilities
Back to Reverse Engineering