Search Capabilities

Search Overview

Ghidra provides powerful search capabilities to locate code patterns, data values, text strings, and program elements.

The SearchTextPlugin provides comprehensive search functionality for program text, while specialized plugins handle memory, instructions, and other search types.

Search Types

Program Text
Memory
Instructions
Scalars

Search displayed text in listing:

Searches rendered fields
Comments, labels, mnemonics
Regular expression support
Database search or display match

Program Text Search

Basic Text Search

Open Search Dialog

Access text search:

Search > Program Text
Press Ctrl + Shift + E
Implemented by SearchTextPlugin

Enter Search String

Configure search:

Type search text
Choose search fields
Set options (case sensitive, regex)

Execute Search

Run the search:

Click Search All for all matches
Or Next/Previous for incremental
Results appear in table

Search Options

Search Fields
Search Modes
Regular Expressions
Case Sensitivity

Select fields to search:

Instruction Mnemonics: Assembly instructions
Instruction Operands: Instruction arguments
Data Mnemonics: Data type names
Data Operands: Data values
Comments: All comment types
Labels: Symbol names
Functions: Function names

Two search strategies:Database Search:

Fast, searches program database
Limited to database content
Implemented by ProgramDatabaseSearcher

Listing Display Match:

Slower, renders each address
Searches as displayed in listing
Matches exact visual output
May take time on large programs

Pattern matching:

Enable regex option
Full regex syntax support
Example: mov.*eax finds MOV instructions with EAX
Example: str_\w+ finds labels starting with “str_”

Search Scope

Set Search Range

Define where to search:

All Blocks: Entire program
Selection: Current selection only
Current Block: Active memory block
Custom Range: Specify addresses

Memory Block Filter

Choose blocks to search:

Filter by block name
Include/exclude specific regions
Focus on code vs data sections

Use selection-based search to narrow results when you know the approximate location of your target.

Search Results

View Results Table

Results displayed in table:

Uses ProgramDatabaseSearchTableModel
Columns: Location, Preview, Type
Sortable and filterable

Navigate Results

Use the results:

Double-click to jump to location
Select multiple for bulk operations
Export results to file

Highlight Matches

Visual emphasis:

Option to highlight in listing
Search marker icons
Uses SEARCH_MARKER_ICON
Configurable highlight colors

Memory Search

Byte Pattern Search

Open Memory Search

Access memory search:

Search > Memory
Direct byte-level searching

Enter Pattern

Define byte pattern:

Hexadecimal bytes (e.g., 48 8B 45 F8)
Wildcards: ? for nibble, .. for byte
Example: 48 8B ?? ?? matches MOV with any operands

Search Memory

Execute search:

Click Search All
Results show all matches
Navigate to findings

Advanced Memory Search

String Search
Value Search
Regex Memory Search

Find string values:

Enter text string
Specify encoding (ASCII, Unicode)
Automatically converted to bytes
Null terminator optional

Search for numeric values:

Decimal or hexadecimal
Specify size (1, 2, 4, 8 bytes)
Endianness settings
Example: Find all 0xDEADBEEF values

Pattern search in strings:

Use SearchMemoryForStringsRegExScript.java
Regular expressions on memory strings
Find complex string patterns

Memory search is case-sensitive for byte patterns. Use appropriate byte values for ASCII text searches.

Instruction Search

Instruction Pattern Search

Open Instruction Search

Access instruction search:

Implemented by InstructionSearchPlugin
Search > Instruction Patterns
Opens InstructionSearchDialog

Build Pattern

Create instruction pattern:

Add instruction criteria
Specify mnemonics
Define operand constraints
Set sequence requirements

Execute Search

Find matches:

SearchInstructionsTask runs search
Results in table
Preview shows context

Mnemonic Search Scripts

Script-based mnemonic searches:

Mnemonics Only
Mnemonics with Operands
Mnemonics with Constants

SearchMnemonicsNoOpsNoConstScript.java:

Search instruction mnemonics only
No operand matching
Fast basic search

SearchMnemonicsOpsNoConstScript.java:

Match mnemonics and operands
No constant value matching
Structure-based search

SearchMnemonicsOpsConstScript.java:

Match mnemonics, operands, and constants
Precise pattern matching
Most specific search

YARA Integration

YARA rule-based searching:

Use InstructionSearchApi_Yara.java
Define YARA rules
Apply to instruction patterns
Advanced malware analysis

Scalar Search

Finding Scalar Values

Access Scalar Search

Open scalar search:

Search > Scalars
Find immediate values and constants

Enter Value

Specify search value:

Decimal or hexadecimal
Exact value match
Range searches supported

Review Results

Examine matches:

Instructions with immediate values
Data containing values
Potential addresses or constants

Image Base Offsets

Search for relocated addresses:

Use SearchForImageBaseOffsetsScript.java
Finds values that are image base + offset
Identifies potential addresses
Helps with position-independent code

Label and Symbol Search

Finding Labels

Go To Dialog

Quick symbol navigation:

Press G
Type label name
Supports wildcards
Jump to symbol

Symbol Table Search

Advanced symbol search:

Open Symbol Table
Use filter bar
Regular expressions supported
Sort and organize results

Search by Address

Address Navigation

Jump to specific address:

Press G
Enter hexadecimal address
Navigate to location

File Offset Search

Find memory address from file offset:

Use LocateMemoryAddressesForFileOffset.java
Converts file position to memory address
Handles multiple mappings

Specialized Searches

Function Search

Function Window
Function Selection

Search all functions:

Window > Functions
Filter by name, size, location
Sort by various criteria
Export function lists

Select functions by criteria:

Use SelectFunctionsScript.java
Filter by properties
Bulk operations on results

Data Type Search

Search Data Type Manager

Find types:

Open Data Type Manager
Use search field
Filter by name or category

Find Applied Types

Locate type usage:

Right-click type > Find References to
Shows all applications
Uses FindReferencesToDataTypeAction

Equate Search

Find equate usage:

Use ShowEquatesInSelectionScript.java
Displays all equates in range
Helps understand constants

Search Performance

Optimizing Searches

Database vs Display
Narrow Scope
Progressive Search

Choose appropriate mode:

Database: Fast, limited fields
Display: Slow, comprehensive
Use database when possible

For large programs, use database search with selections to significantly improve search speed.

Search Integration

Combining Searches

Multiple Criteria

Layer search results:

Perform first search
Create selection from results
Search within selection
Iteratively narrow results

Cross-Reference Search

Use XREFs in search workflow:

Search for pattern
Find references to results
Build call or data flow graph

Search and Replace

Bulk modifications:

ReplaceInComments.java script
Text replacement in comments
Batch symbol renaming
Careful with irreversible changes

Search Results Management

Working with Results

Export Results

Save search results:

Results table export
CSV or text format
Documentation purposes

Create Selection

Convert to selection:

Select results in table
Create program selection
Apply operations to matches

Apply Actions

Bulk operations:

Comment all matches
Apply data types
Create bookmarks
Set symbol properties

Search results are dynamic - program changes may invalidate results. Re-run searches after modifications.

Advanced Search Techniques

GUI Search Tools

Custom search interfaces:

SearchGuiSingle.java: Single pattern GUI
SearchGuiMulti.java: Multiple pattern search
Custom search dialogs for specific needs

Quick Search

Rapid searching:

Quick searcher in search text plugin
Located in quicksearcher package
Fast incremental search
Real-time results

Create custom search scripts using the InstructionSearchApi for project-specific search patterns that you use frequently.

Get Started

Core Concepts

User Guide

Advanced Features

Scripting & Automation

Extension Development

Processors & Formats

​Search Overview

​Search Types

​Program Text Search

​Basic Text Search

​Search Options

​Search Scope

​Search Results

​Memory Search

​Byte Pattern Search

​Advanced Memory Search

​Instruction Search

​Instruction Pattern Search

​Mnemonic Search Scripts

​YARA Integration

​Scalar Search

​Finding Scalar Values

​Image Base Offsets

​Label and Symbol Search

​Finding Labels

​Search by Address

​Specialized Searches

​Function Search

​Data Type Search

​Equate Search

​Search Performance

​Optimizing Searches

​Search Integration

​Combining Searches

​Search and Replace

​Search Results Management

​Working with Results

​Advanced Search Techniques

​GUI Search Tools

​Quick Search

Build docs developers (and LLMs) love

Search Overview

Search Types

Program Text Search

Basic Text Search

Search Options

Search Scope

Search Results

Memory Search

Byte Pattern Search

Advanced Memory Search

Instruction Search

Instruction Pattern Search

Mnemonic Search Scripts

YARA Integration

Scalar Search

Finding Scalar Values

Image Base Offsets

Label and Symbol Search

Finding Labels

Search by Address

Specialized Searches

Function Search

Data Type Search

Equate Search

Search Performance

Optimizing Searches

Search Integration

Combining Searches

Search and Replace

Search Results Management

Working with Results

Advanced Search Techniques

GUI Search Tools

Quick Search