- reversing
Market
Ghidra
Overview
Ghidra is NSA's open-source software reverse engineering suite. It loads binaries (PE, ELF, Mach-O, raw), disassembles, decompiles to C-like pseudocode, and supports collaborative analysis via shared project repositories.
The CodeBrowser is the main workspace: Listing (disassembly), Decompiler, Defined Strings, Symbol Tree, and Function Graph. Analysis runs auto-identify functions, strings, and imports on import; additional analyzers refine stack frames and calling conventions.
Scripting in Java or Python (Jython) automates labeling, struct recovery, and batch processing. Ghidra 11+ adds native Python via GhidraBridge. Version tracking diffing compares firmware builds for patch analysis.
Headless analyzer (analyzeHeadless) runs imports, analysis, and script export in CI or bulk malware triage pipelines.
Primary use cases
- Malware unpacking and C2 protocol recovery
- Vulnerability research on closed-source binaries
- Firmware analysis for embedded device assessments
- Patch diffing between vendor updates
- CTF crackmes and algorithm recovery
Key commands
Headless import and analyze
analyzeHeadless /projects proj -import malware.exe -postScript ExportFunctions.pyLaunch GUI (Kali)
ghidra &Notable modules / features
- Decompiler with variable recovery and type propagation
- P-Code intermediate representation for cross-arch analysis
- Debugger integration (GDB, WinDbg via connectors)
- Function ID, data type archives, FLIRT-style signature matching
- BSim: binary similarity search across corpora
Detection / defense notes
- Obfuscation, packers, and anti-debug increase analyst time—not prevention
- Symbol stripping and control-flow flattening degrade decompiler output
- Threat intel shares Ghidra projects/labels for known malware families