Convert Figma logo to code with AI

NationalSecurityAgency logoghidra

Ghidra is a software reverse engineering (SRE) framework

50,446
5,766
50,446
1,624
View on GitHub

Top Related Projects

radareorg's avatar

radare2

20,311

UNIX-like reverse engineering framework and command-line toolset

angr's avatar

angr

7,457

A powerful and user-friendly binary analysis platform!

REhints's avatar

HexRaysCodeXplorer

2,337

Hex-Rays Decompiler plugin for better code navigation

JonathanSalwan's avatar

Triton

3,470

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.

Quick Overview

Ghidra is a software reverse engineering (SRE) framework developed by the National Security Agency (NSA) Research Directorate. It is a powerful tool used for analyzing compiled code, including malware, and is particularly useful for reverse engineering and understanding the behavior of complex software systems.

Pros

  • Comprehensive Functionality: Ghidra provides a wide range of features for reverse engineering, including disassembly, decompilation, debugging, and data analysis.
  • Cross-Platform Compatibility: Ghidra is designed to work on multiple platforms, including Windows, macOS, and Linux, making it accessible to a diverse user base.
  • Open-Source and Free: Ghidra is an open-source project, which means it is freely available for anyone to use, modify, and contribute to.
  • Active Community: Ghidra has a growing community of users and contributors, who provide support, share knowledge, and contribute to the project's development.

Cons

  • Steep Learning Curve: Ghidra is a complex tool with a wide range of features, which can make it challenging for beginners to get started and become proficient.
  • Limited Documentation: While Ghidra has a comprehensive set of features, the documentation can be sparse or outdated in some areas, making it difficult for users to navigate the tool effectively.
  • Performance Limitations: Ghidra can be resource-intensive, especially when working with large or complex software projects, which may impact its performance on older or less powerful hardware.
  • Potential Security Concerns: As a tool used for reverse engineering, Ghidra may be subject to security concerns, particularly when analyzing potentially malicious code.

Getting Started

To get started with Ghidra, follow these steps:

  1. Download the latest version of Ghidra from the official GitHub repository: https://github.com/NationalSecurityAgency/ghidra
  2. Extract the downloaded archive to a directory of your choice.
  3. Run the Ghidra executable, which can be found in the ghidra_9.x.x directory (where x.x represents the version number).
  4. In the Ghidra launcher, select "New" to create a new project or "Open" to open an existing project.
  5. Follow the on-screen instructions to set up your project and begin analyzing your target software.

Ghidra provides a comprehensive set of features and tools for reverse engineering, including:

  • Disassembly: Ghidra can disassemble compiled code, allowing you to view and understand the underlying assembly instructions.
  • Decompilation: Ghidra's decompiler can convert assembly code back into high-level programming language constructs, making it easier to understand the original source code.
  • Debugging: Ghidra includes a built-in debugger that allows you to step through the execution of a program and inspect its state.
  • Data Analysis: Ghidra provides a range of tools for analyzing the data structures and memory usage of a program, which can be useful for understanding its behavior.

To get started with Ghidra, you can refer to the official documentation and tutorials available on the project's website: https://ghidra-sre.org/

Competitor Comparisons

radareorg logo

radare2

20,311

UNIX-like reverse engineering framework and command-line toolset

Pros of radare2

  • Supports a wide range of architectures and file formats, making it a versatile tool for reverse engineering.
  • Provides a powerful command-line interface with a steep learning curve, allowing for efficient and customizable workflows.
  • Offers a modular design, allowing users to extend its functionality with plugins and scripts.

Cons of radare2

  • Steeper learning curve compared to Ghidra, which may be a barrier for some users.
  • Limited graphical user interface (GUI) compared to Ghidra, which may be preferred by some users.
  • Fewer built-in features and analysis capabilities compared to Ghidra.

Code Comparison

Ghidra:

public class HelloWorld {
    public static void main(String[] args) {
        System.out.println("Hello, World!");
    }
}

radare2:

[0x00000000]> pd 5
            0x00000000      55             push ebp
            0x00000001      89e5           mov ebp, esp
            0x00000003      83ec18         sub esp, 0x18
            0x00000006      c70424000000.  mov dword [esp], 0x0
            0x0000000d      e8fcffffff     call sym.imp.puts
angr logo

angr

7,457

A powerful and user-friendly binary analysis platform!

Pros of angr/angr

  • angr is a powerful and versatile binary analysis framework that can be used for a wide range of tasks, including symbolic execution, taint analysis, and control flow recovery.
  • angr has a modular design, which allows users to easily integrate it into their own tools and workflows.
  • angr is actively maintained and has a large and supportive community of users and contributors.

Cons of angr/angr

  • angr can have a steep learning curve, especially for users who are new to binary analysis and symbolic execution.
  • angr may not be as user-friendly as some other binary analysis tools, such as Ghidra, which have more intuitive graphical user interfaces.

Code Comparison

Here's a brief comparison of how to perform a simple function call analysis in Ghidra and angr:

Ghidra:

FunctionManager fm = currentProgram.getFunctionManager();
Function func = fm.getFunctionAt(addr);
if (func != null) {
    System.out.println("Function name: " + func.getName());
    System.out.println("Function entry point: " + func.getEntryPoint());
}

angr:

import angr

proj = angr.Project('binary.exe')
func = proj.kb.functions[0x1234]
print(f"Function name: {func.name}")
print(f"Function entry point: {hex(func.addr)}")
REhints logo

HexRaysCodeXplorer

2,337

Hex-Rays Decompiler plugin for better code navigation

Pros of HexRaysCodeXplorer

  • Provides a user-friendly interface for analyzing decompiled code from IDA Pro
  • Offers advanced features like variable renaming, function identification, and control flow graph visualization
  • Supports a wide range of architectures, including x86, ARM, and MIPS

Cons of HexRaysCodeXplorer

  • Requires a licensed version of IDA Pro, which can be expensive for individual users
  • May not be as feature-rich or actively maintained as Ghidra
  • Limited community support compared to the larger Ghidra ecosystem

Code Comparison

Ghidra:

public class GhidraScript extends GhidraState {
    @Override
    public void run() throws Exception {
        // Ghidra script implementation
        println("Hello, Ghidra!");
    }
}

HexRaysCodeXplorer:

public class HexRaysCodeXplorerPlugin : IPlugin
{
    public void Initialize()
    {
        // HexRaysCodeXplorer plugin initialization
        MessageBox.Show("Hello, HexRaysCodeXplorer!");
    }
}
JonathanSalwan logo

Triton

3,470

Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.

Pros of Triton

  • Triton is a dynamic binary analysis framework that can be used for a variety of tasks, including symbolic execution, taint analysis, and constraint solving.
  • Triton provides a powerful API that allows users to write custom analysis scripts, making it a flexible and extensible tool.
  • Triton is open-source and actively maintained, with a large and engaged community of users and contributors.

Cons of Triton

  • Triton is primarily focused on binary analysis and may not be as well-suited for other types of reverse engineering tasks as Ghidra.
  • Triton's learning curve can be steeper than Ghidra's, as it requires a deeper understanding of symbolic execution and constraint solving.
  • Triton's performance may not be as optimized as Ghidra's, especially for large or complex binaries.

Code Comparison

Here's a brief comparison of the code for a simple function in both Ghidra and Triton:

Ghidra:

public void myFunction(int a, int b) {
    int c = a + b;
    int d = a - b;
    int e = a * b;
    int f = a / b;
}

Triton:

from triton import *

def myFunction(a, b):
    c = a + b
    d = a - b
    e = a * b
    f = a / b
    return [c, d, e, f]

As you can see, the Ghidra code is written in Java, while the Triton code is written in Python. The overall structure of the function is similar, but the Triton code uses the Triton API to perform the operations.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Ghidra Software Reverse Engineering Framework

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python.

In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.

If you are a U.S. citizen interested in projects like this, to develop Ghidra and other cybersecurity tools for NSA to help protect our nation and its allies, consider applying for a career with us.

Security Warning

WARNING: There are known security vulnerabilities within certain versions of Ghidra. Before proceeding, please read through Ghidra's Security Advisories for a better understanding of how you might be impacted.

Install

To install an official pre-built multi-platform Ghidra release:

  • Install JDK 21 64-bit
  • Download a Ghidra release file
    • NOTE: The official multi-platform release file is named ghidra_<version>_<release>_<date>.zip which can be found under the "Assets" drop-down. Downloading either of the files named "Source Code" is not correct for this step.
  • Extract the Ghidra release file
  • Launch Ghidra: ./ghidraRun (or ghidraRun.bat for Windows)

For additional information and troubleshooting tips about installing and running a Ghidra release, please refer to docs/InstallationGuide.html which can be found in your extracted Ghidra release directory.

Build

To create the latest development build for your platform from this source repository:

Install build tools:
Download and extract the source:

Download from GitHub

unzip ghidra-master
cd ghidra-master

NOTE: Instead of downloading the compressed source, you may instead want to clone the GitHub repository: git clone https://github.com/NationalSecurityAgency/ghidra.git

Download additional build dependencies into source repository:

NOTE: If an Internet connection is available and you did not install Gradle, the following gradle commands may be replaced with ./gradle(.bat).

gradle -I gradle/support/fetchDependencies.gradle
Create development build:
gradle buildGhidra

The compressed development build will be located at build/dist/.

For more detailed information on building Ghidra, please read the Developer Guide.

For issues building, please check the Known Issues section for possible solutions.

Develop

User Scripts and Extensions

Ghidra installations support users writing custom scripts and extensions via the GhidraDev plugin for Eclipse. The plugin and its corresponding instructions can be found within a Ghidra release at Extensions/Eclipse/GhidraDev/ or at this link.

NOTE: The GhidraDev plugin for Eclipse only supports developing against fully built Ghidra installations which can be downloaded from the Releases page.

Advanced Development

To develop the Ghidra tool itself, it is highly recommended to use Eclipse, which the Ghidra development process has been highly customized for.

Install build and development tools:
Prepare the development environment:
gradle prepdev eclipse buildNatives
Import Ghidra projects into Eclipse:
  • File -> Import...
  • General | Existing Projects into Workspace
  • Select root directory to be your downloaded or cloned ghidra source repository
  • Check Search for nested projects
  • Click Finish

When Eclipse finishes building the projects, Ghidra can be launched and debugged with the provided Ghidra Eclipse run configuration.

For more detailed information on developing Ghidra, please read the Developer Guide.

Contribute

If you would like to contribute bug fixes, improvements, and new features back to Ghidra, please take a look at our Contributor Guide to see how you can participate in this open source project.