Ghidra reverse engineering tools for Claude Code
npx claudepluginhub und3rf10w/ai-ghidra-toolsGhidra reverse engineering integration for Claude Code - analyze binaries, decompile functions, find strings, and trace cross-references
Und3rf10wA comprehensive reverse engineering integration that brings Ghidra's powerful binary analysis capabilities directly into Claude Code through the Model Context Protocol (MCP).
This plugin enables Claude to analyze executables, decompile functions, search for patterns, trace cross-references, and even emulate code—all through natural language conversations. It bridges Ghidra's headless analyzer with Claude Code, making reverse engineering tasks more accessible and efficient.
Download and extract Ghidra from the official releases.
# Example: Extract to ~/ghidra
unzip ghidra_12.0.2_PUBLIC.zip -d ~/
# Add to your shell profile (~/.bashrc, ~/.zshrc, etc.)
export GHIDRA_INSTALL=~/ghidra_12.0.2_PUBLIC
Clone or copy the plugin to your Claude Code plugins directory:
# Clone the repository
git clone https://github.com/your-org/ghidra-claude-plugin.git
# Or copy to plugins directory
cp -r ghidra ~/.claude/plugins/
cd ~/.claude/plugins/ghidra
python3 -m venv .venv
source .venv/bin/activate
pip install mcp httpx
claude -p "analyze /bin/ls and list its functions"
| Variable | Description | Default |
|---|---|---|
GHIDRA_INSTALL | Path to Ghidra installation | ~/ghidra_*_PUBLIC |
GHIDRA_WORKSPACE | Directory for Ghidra projects | ~/.claude/ghidra-workspace |
The plugin's .mcp.json configures the MCP server:
{
"mcpServers": {
"ghidra-mcp": {
"command": "python3",
"args": ["${CLAUDE_PLUGIN_ROOT}/servers/ghidra-mcp/server.py"],
"env": {
"GHIDRA_INSTALL": "${GHIDRA_INSTALL}",
"GHIDRA_WORKSPACE": "${HOME}/.claude/ghidra-workspace"
}
}
}
}
| Tool | Description |
|---|---|
analyze_binary | Import and analyze a binary file. Returns metadata including architecture, entry point, and function count. Must be called first. |
list_functions | List functions with pagination and filtering. Returns names, addresses, sizes, and signatures. |
get_symbols | Get imported and exported symbols. Shows external dependencies and exports. |
list_classes | List C++/Objective-C classes, vtables, and methods. |
| Tool | Description |
|---|---|
decompile_function | Decompile a function to C pseudocode. Returns code, signature, and local variables. |
get_disassembly | Get raw assembly for a function or address range. Includes bytes, mnemonics, and operands. |
get_basic_blocks | Get control flow graph with basic blocks, edges, and instructions. |
| Tool | Description |
|---|---|
search_strings | Find strings in the binary with minimum length and pattern filtering. |
search_bytes | Search for byte patterns with wildcard support (e.g., 48 ?? 05). |
get_xrefs | Get cross-references to/from an address. Trace callers, callees, and data refs. |
get_call_graph | Get caller/callee tree for understanding function relationships. |
| Tool | Description |
|---|---|
get_memory_map | Get memory sections with permissions and addresses. |
get_data_at_address | Read and interpret data at an address (bytes, integers, pointers, strings). |
| Tool | Description |
|---|---|
rename_symbol | Rename a function or symbol. Changes persist in the Ghidra project. |
add_comment | Add comments at addresses (EOL, pre, post, plate, repeatable). |
set_function_signature | Update function return type and parameters. |
patch_bytes | Modify bytes at an address for patching or experimentation. |
| Tool | Description |
|---|---|
emulate_function | Execute code using Ghidra's P-code emulator with custom register/memory inputs. |