Top Related Projects
UNIX-like reverse engineering framework and command-line toolset
A powerful and user-friendly binary analysis platform!
Hex-Rays Decompiler plugin for better code navigation
Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
Quick Overview
Ghidra is a software reverse engineering (SRE) framework developed by the National Security Agency (NSA) Research Directorate. It is a powerful tool used for analyzing compiled code, including malware, and is particularly useful for reverse engineering and understanding the behavior of complex software systems.
Pros
- Comprehensive Functionality: Ghidra provides a wide range of features for reverse engineering, including disassembly, decompilation, debugging, and data analysis.
- Cross-Platform Compatibility: Ghidra is designed to work on multiple platforms, including Windows, macOS, and Linux, making it accessible to a diverse user base.
- Open-Source and Free: Ghidra is an open-source project, which means it is freely available for anyone to use, modify, and contribute to.
- Active Community: Ghidra has a growing community of users and contributors, who provide support, share knowledge, and contribute to the project's development.
Cons
- Steep Learning Curve: Ghidra is a complex tool with a wide range of features, which can make it challenging for beginners to get started and become proficient.
- Limited Documentation: While Ghidra has a comprehensive set of features, the documentation can be sparse or outdated in some areas, making it difficult for users to navigate the tool effectively.
- Performance Limitations: Ghidra can be resource-intensive, especially when working with large or complex software projects, which may impact its performance on older or less powerful hardware.
- Potential Security Concerns: As a tool used for reverse engineering, Ghidra may be subject to security concerns, particularly when analyzing potentially malicious code.
Getting Started
To get started with Ghidra, follow these steps:
- Download the latest version of Ghidra from the official GitHub repository: https://github.com/NationalSecurityAgency/ghidra
- Extract the downloaded archive to a directory of your choice.
- Run the Ghidra executable, which can be found in the
ghidra_9.x.x
directory (wherex.x
represents the version number). - In the Ghidra launcher, select "New" to create a new project or "Open" to open an existing project.
- Follow the on-screen instructions to set up your project and begin analyzing your target software.
Ghidra provides a comprehensive set of features and tools for reverse engineering, including:
- Disassembly: Ghidra can disassemble compiled code, allowing you to view and understand the underlying assembly instructions.
- Decompilation: Ghidra's decompiler can convert assembly code back into high-level programming language constructs, making it easier to understand the original source code.
- Debugging: Ghidra includes a built-in debugger that allows you to step through the execution of a program and inspect its state.
- Data Analysis: Ghidra provides a range of tools for analyzing the data structures and memory usage of a program, which can be useful for understanding its behavior.
To get started with Ghidra, you can refer to the official documentation and tutorials available on the project's website: https://ghidra-sre.org/
Competitor Comparisons
UNIX-like reverse engineering framework and command-line toolset
Pros of radare2
- Supports a wide range of architectures and file formats, making it a versatile tool for reverse engineering.
- Provides a powerful command-line interface with a steep learning curve, allowing for efficient and customizable workflows.
- Offers a modular design, allowing users to extend its functionality with plugins and scripts.
Cons of radare2
- Steeper learning curve compared to Ghidra, which may be a barrier for some users.
- Limited graphical user interface (GUI) compared to Ghidra, which may be preferred by some users.
- Fewer built-in features and analysis capabilities compared to Ghidra.
Code Comparison
Ghidra:
public class HelloWorld {
public static void main(String[] args) {
System.out.println("Hello, World!");
}
}
radare2:
[0x00000000]> pd 5
0x00000000 55 push ebp
0x00000001 89e5 mov ebp, esp
0x00000003 83ec18 sub esp, 0x18
0x00000006 c70424000000. mov dword [esp], 0x0
0x0000000d e8fcffffff call sym.imp.puts
A powerful and user-friendly binary analysis platform!
Pros of angr/angr
- angr is a powerful and versatile binary analysis framework that can be used for a wide range of tasks, including symbolic execution, taint analysis, and control flow recovery.
- angr has a modular design, which allows users to easily integrate it into their own tools and workflows.
- angr is actively maintained and has a large and supportive community of users and contributors.
Cons of angr/angr
- angr can have a steep learning curve, especially for users who are new to binary analysis and symbolic execution.
- angr may not be as user-friendly as some other binary analysis tools, such as Ghidra, which have more intuitive graphical user interfaces.
Code Comparison
Here's a brief comparison of how to perform a simple function call analysis in Ghidra and angr:
Ghidra:
FunctionManager fm = currentProgram.getFunctionManager();
Function func = fm.getFunctionAt(addr);
if (func != null) {
System.out.println("Function name: " + func.getName());
System.out.println("Function entry point: " + func.getEntryPoint());
}
angr:
import angr
proj = angr.Project('binary.exe')
func = proj.kb.functions[0x1234]
print(f"Function name: {func.name}")
print(f"Function entry point: {hex(func.addr)}")
Hex-Rays Decompiler plugin for better code navigation
Pros of HexRaysCodeXplorer
- Provides a user-friendly interface for analyzing decompiled code from IDA Pro
- Offers advanced features like variable renaming, function identification, and control flow graph visualization
- Supports a wide range of architectures, including x86, ARM, and MIPS
Cons of HexRaysCodeXplorer
- Requires a licensed version of IDA Pro, which can be expensive for individual users
- May not be as feature-rich or actively maintained as Ghidra
- Limited community support compared to the larger Ghidra ecosystem
Code Comparison
Ghidra:
public class GhidraScript extends GhidraState {
@Override
public void run() throws Exception {
// Ghidra script implementation
println("Hello, Ghidra!");
}
}
HexRaysCodeXplorer:
public class HexRaysCodeXplorerPlugin : IPlugin
{
public void Initialize()
{
// HexRaysCodeXplorer plugin initialization
MessageBox.Show("Hello, HexRaysCodeXplorer!");
}
}
Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
Pros of Triton
- Triton is a dynamic binary analysis framework that can be used for a variety of tasks, including symbolic execution, taint analysis, and constraint solving.
- Triton provides a powerful API that allows users to write custom analysis scripts, making it a flexible and extensible tool.
- Triton is open-source and actively maintained, with a large and engaged community of users and contributors.
Cons of Triton
- Triton is primarily focused on binary analysis and may not be as well-suited for other types of reverse engineering tasks as Ghidra.
- Triton's learning curve can be steeper than Ghidra's, as it requires a deeper understanding of symbolic execution and constraint solving.
- Triton's performance may not be as optimized as Ghidra's, especially for large or complex binaries.
Code Comparison
Here's a brief comparison of the code for a simple function in both Ghidra and Triton:
Ghidra:
public void myFunction(int a, int b) {
int c = a + b;
int d = a - b;
int e = a * b;
int f = a / b;
}
Triton:
from triton import *
def myFunction(a, b):
c = a + b
d = a - b
e = a * b
f = a / b
return [c, d, e, f]
As you can see, the Ghidra code is written in Java, while the Triton code is written in Python. The overall structure of the function is similar, but the Triton code uses the Triton API to perform the operations.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Ghidra Software Reverse Engineering Framework
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra extension components and/or scripts using Java or Python.
In support of NSA's Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.
If you are a U.S. citizen interested in projects like this, to develop Ghidra and other cybersecurity tools for NSA to help protect our nation and its allies, consider applying for a career with us.
Security Warning
WARNING: There are known security vulnerabilities within certain versions of Ghidra. Before proceeding, please read through Ghidra's Security Advisories for a better understanding of how you might be impacted.
Install
To install an official pre-built multi-platform Ghidra release:
- Install JDK 21 64-bit
- Download a Ghidra release file
- NOTE: The official multi-platform release file is named
ghidra_<version>_<release>_<date>.zip
which can be found under the "Assets" drop-down. Downloading either of the files named "Source Code" is not correct for this step.
- NOTE: The official multi-platform release file is named
- Extract the Ghidra release file
- Launch Ghidra:
./ghidraRun
(orghidraRun.bat
for Windows)
For additional information and troubleshooting tips about installing and running a Ghidra release,
please refer to docs/InstallationGuide.html
which can be found in your extracted Ghidra release
directory.
Build
To create the latest development build for your platform from this source repository:
Install build tools:
- JDK 21 64-bit
- Gradle 8.5+ (or provided Gradle wrapper if Internet connection is available)
- Python3 (version 3.9 to 3.12) with bundled pip
- make, gcc, and g++ (Linux/macOS-only)
- Microsoft Visual Studio 2017+ or Microsoft C++ Build Tools with the
following components installed (Windows-only):
- MSVC
- Windows SDK
- C++ ATL
Download and extract the source:
unzip ghidra-master
cd ghidra-master
NOTE: Instead of downloading the compressed source, you may instead want to clone the GitHub
repository: git clone https://github.com/NationalSecurityAgency/ghidra.git
Download additional build dependencies into source repository:
NOTE: If an Internet connection is available and you did not install Gradle, the following
gradle
commands may be replaced with ./gradle(.bat)
.
gradle -I gradle/support/fetchDependencies.gradle
Create development build:
gradle buildGhidra
The compressed development build will be located at build/dist/
.
For more detailed information on building Ghidra, please read the Developer Guide.
For issues building, please check the Known Issues section for possible solutions.
Develop
User Scripts and Extensions
Ghidra installations support users writing custom scripts and extensions via the GhidraDev plugin
for Eclipse. The plugin and its corresponding instructions can be found within a Ghidra release at
Extensions/Eclipse/GhidraDev/
or at this link.
NOTE: The GhidraDev plugin for Eclipse only supports developing against fully built Ghidra installations which can be downloaded from the Releases page.
Advanced Development
To develop the Ghidra tool itself, it is highly recommended to use Eclipse, which the Ghidra development process has been highly customized for.
Install build and development tools:
- Follow the above build instructions so the build completes without errors
- Install Eclipse IDE for Java Developers
Prepare the development environment:
gradle prepdev eclipse buildNatives
Import Ghidra projects into Eclipse:
- File -> Import...
- General | Existing Projects into Workspace
- Select root directory to be your downloaded or cloned ghidra source repository
- Check Search for nested projects
- Click Finish
When Eclipse finishes building the projects, Ghidra can be launched and debugged with the provided Ghidra Eclipse run configuration.
For more detailed information on developing Ghidra, please read the Developer Guide.
Contribute
If you would like to contribute bug fixes, improvements, and new features back to Ghidra, please take a look at our Contributor Guide to see how you can participate in this open source project.
Top Related Projects
UNIX-like reverse engineering framework and command-line toolset
A powerful and user-friendly binary analysis platform!
Hex-Rays Decompiler plugin for better code navigation
Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot