Skip to main content

Architectural Overview

Ghidra is built as a layered framework with clear separation of concerns. Each layer builds upon the services provided by lower layers, creating a modular and extensible architecture.

Framework Layer

The framework layer provides core infrastructure services that all higher layers depend on.

Project Management Module

Location: Ghidra/Framework/Project/ The Project module manages the lifecycle of projects, tools, and domain files: 
// From ghidra/framework/model/Project.java:26-33
public interface Project extends AutoCloseable, Iterable<DomainFile> {
    String getName();
    ProjectLocator getProjectLocator();
    ProjectManager getProjectManager();
    ToolManager getToolManager();
    ToolServices getToolServices();
    ProjectData getProjectData();
}
Key Components:
  • DefaultProject - Main project implementation
  • ProjectData - File system abstraction for domain files
  • ToolManager - Manages tool instances and configurations
  • DomainObjectAdapter - Base implementation for persistent objects

Database Module

Location: Ghidra/Framework/DB/ Provides a custom file-based database optimized for Ghidra’s needs: 
// Database handle for domain objects
public class DBHandle {
    public Table getTable(String name);
    public Table createTable(String name, Schema schema);
    public void startTransaction();
    public long endTransaction(long transactionID, boolean commit);
    // ... buffer management and versioning
}
Features:
  • Buffer Management - Efficient paging of database content
  • Versioning - Built-in version control with undo/redo
  • Transactions - ACID transaction support
  • Indexing - B-tree indexes for fast lookups
  • Schema Evolution - Handles database schema changes
From ghidra/framework/model/DomainObject.java:472-484

Docking Module

Location: Ghidra/Framework/Docking/ Provides the windowing system for Ghidra’s user interface:
  • ComponentProvider - Base class for dockable windows
  • DockingWindowManager - Manages window layout and persistence
  • ActionContext - Context for executing user actions
  • DockingAction - Represents menu items and toolbar buttons

Generic Module

Location: Ghidra/Framework/Generic/ Common utilities and infrastructure:
  • Application - Application lifecycle management
  • TaskMonitor - Progress monitoring and cancellation
  • ClassSearcher - Dynamic class discovery via ExtensionPoint
  • Options - Configuration and preferences system

Software Modeling Layer

The software modeling layer provides the program model and analysis infrastructure. Location: Ghidra/Framework/SoftwareModeling/

Program Model

The central abstraction for representing executable programs: 
// From ghidra/program/model/listing/Program.java:40-53
public interface Program extends DataTypeManagerDomainObject, ProgramArchitecture {
    Listing getListing();
    Memory getMemory();
    SymbolTable getSymbolTable();
    FunctionManager getFunctionManager();
    ReferenceManager getReferenceManager();
    BookmarkManager getBookmarkManager();
    EquateTable getEquateTable();
    ExternalManager getExternalManager();
    // ... data type and language services
}
Managers and Services:
Manages memory blocks, address spaces, and byte access
public interface Memory extends AddressSetView {
    MemoryBlock createInitializedBlock(String name, Address start, 
                                       long size, byte initialValue);
    AddressSetView getLoadedAndInitializedAddressSet();
    byte getByte(Address addr);
    void setByte(Address addr, byte value);
}
From ghidra/program/model/mem/Memory.java:30-79
Manages symbols, namespaces, and labels
  • Labels and function names
  • Namespace hierarchy
  • Symbol references and scope
  • External symbols
Tracks functions and their properties
  • Function boundaries
  • Parameters and return values
  • Local variables
  • Call relationships
Tracks memory references and cross-references
  • Code and data references
  • Stack references
  • External references
  • Reference types and offsets

Address Model

Addresses in Ghidra are multi-dimensional: 
// From ghidra/program/model/address/Address.java:23-30
public interface Address extends Comparable<Address> {
    AddressSpace getAddressSpace();
    long getOffset();
    Address add(long displacement);
    Address subtract(long displacement);
    long subtract(Address addr);
    // ... address arithmetic
}
Address Spaces: From ghidra/program/model/address/AddressSpace.java:28-46 
public interface AddressSpace extends Comparable<AddressSpace> {
    public static final int TYPE_RAM = 1;
    public static final int TYPE_REGISTER = 4;
    public static final int TYPE_STACK = 5;
    public static final int TYPE_OTHER = 7;
    public static final int TYPE_EXTERNAL = 10;
    
    String getName();
    int getSpaceID();
    int getSize();
    int getAddressableUnitSize();
}
Address spaces allow Ghidra to represent different contexts within a program:
  • RAM - Physical memory
  • REGISTER - Processor registers
  • STACK - Stack-relative addressing
  • OTHER - Non-loaded data (headers, debug info)
  • EXTERNAL - External library references
From ghidra/program/model/address/AddressSpace.java:68-89

Language System

Processor specifications define instruction semantics:
  • SLEIGH - Domain-specific language for instruction encoding
  • Processor Definitions - Located in Ghidra/Processors/
  • P-code - Intermediate representation for analysis
  • Compiler Specifications - Calling conventions and ABI details

Features Layer

The features layer provides user-facing functionality built on the framework.

Base Module

Location: Ghidra/Features/Base/ Core analysis features and the CodeBrowser tool: Analysis Services: 
// From ghidra/app/services/Analyzer.java:27-33
public interface Analyzer extends ExtensionPoint {
    String getName();
    AnalyzerType getAnalysisType();
    boolean getDefaultEnablement(Program program);
    String getDescription();
    AnalysisPriority getPriority();
    boolean canAnalyze(Program program);
    boolean added(Program program, AddressSetView set, 
                  TaskMonitor monitor, MessageLog log);
}
Built-in Analyzers:
  • Disassembly and instruction analysis
  • Function discovery and boundaries
  • Stack analysis and parameter detection
  • Reference discovery
  • Data type propagation
  • Symbol demangling
From ghidra/app/services/Analyzer.java:28-44

Decompiler Module

Location: Ghidra/Features/Decompiler/
  • C++ Native Engine - High-performance decompilation
  • Java Integration - Bridge between native and Java layers
  • High P-code - Simplified intermediate representation
  • Type Recovery - Infer data types from usage

File Formats Module

Location: Ghidra/Features/FileFormats/ Binary format parsers and loaders:
  • PE (Windows executables)
  • ELF (Linux/Unix executables)
  • Mach-O (macOS executables)
  • COFF archives
  • Android formats (DEX, VDEX, ART)

Component Interactions

Here’s how components work together during typical operations:

Opening a Program

1

Load Domain File

ProjectData retrieves the DomainFile from the file system
2

Open Database

DBHandle opens the underlying database file
3

Initialize Program

ProgramDB instantiates managers (Memory, Symbol, Function, etc.)
4

Register Listeners

Tools register for domain object events

Performing Analysis

1

Start Transaction

AutoAnalysisManager begins a transaction
2

Queue Analyzers

Analyzers are queued by priority
3

Execute Analysis

Each analyzer processes address ranges
4

Propagate Events

Changes trigger events to update UI
5

Commit Transaction

Transaction completes, changes are saved
From ghidra/app/plugin/core/analysis/AutoAnalysisManager.java:57-63

Extension Points

Ghidra provides multiple extension mechanisms:

Plugin Extension

@PluginInfo(
    status = PluginStatus.RELEASED,
    packageName = CorePluginPackage.NAME,
    category = PluginCategoryNames.ANALYSIS
)
public class MyPlugin extends Plugin {
    // Extend functionality
}

Analyzer Extension

public class MyAnalyzer extends AbstractAnalyzer {
    @Override
    public boolean added(Program program, AddressSetView set, 
                        TaskMonitor monitor, MessageLog log) {
        // Custom analysis logic
        return true;
    }
}

Loader Extension

Custom file format loaders implement the Loader interface.

Language Extension

New processor support via SLEIGH specifications.

Performance Considerations

Key performance characteristics to understand:
  • Database operations are cached but can still be slow for large programs
  • Address sets use efficient range representations
  • Event notification is buffered to reduce overhead
  • Analyzer priorities determine execution order for optimal performance

Module Dependencies

The dependency hierarchy ensures clean layering: 
Features (Base, Decompiler, etc.)

Framework/SoftwareModeling

Framework/Project

Framework/DB, Docking, Generic

Framework/Utility

Next Steps

Projects

Learn about project organization and version control

Programs

Deep dive into the program model

Analysis

Understand the analysis pipeline

Overview

Return to framework overview

Build docs developers (and LLMs) love

Get started for freeTalk to us