Skip to main content

What is Ghidra?

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux.
Ghidra was publicly released as open source software in March 2019 at the RSA Conference, making advanced reverse engineering capabilities available to security researchers worldwide.

History and Purpose

In support of NSA’s Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.

Key Capabilities

Ghidra provides comprehensive reverse engineering features:

Disassembly

Support for a wide variety of processor instruction sets including x86, ARM, MIPS, PowerPC, SPARC, and many more

Decompilation

Advanced decompiler that converts assembly code back into readable C-like pseudocode

Graphing

Visual representation of program flow, function call graphs, and data relationships

Scripting

Extensible through custom scripts written in Java or Python

Core Features

1

Multi-Platform Support

Analyze compiled code across Windows, macOS, and Linux platforms with a consistent interface
2

Multiple File Formats

Import and analyze various executable formats including PE, ELF, Mach-O, and raw binary files
3

Collaborative Analysis

Work with teams using the Ghidra Server for shared project repositories
4

Extensibility

Develop custom analyzers, plugins, and extensions using Java or Python APIs

Advanced Analysis Tools

Ghidra includes hundreds of features for deep program analysis:
  • Function Identification: Automatically detect and analyze functions within binaries
  • Cross-References: Track data and code references throughout the program
  • Data Type Management: Define and apply custom data structures
  • Binary Diffing: Compare multiple versions of binaries to identify changes
  • Debugger Integration: Dynamic analysis with integrated debugging support
  • BSim (Behavioral Similarity): Find structurally similar functions across binary collections

Operating Modes

Ghidra can be run in multiple modes to suit different workflows: 
# GUI Mode - Interactive analysis
./ghidraRun

# Headless Mode - Automated batch processing
./support/analyzeHeadless <project_location> <project_name> [options]

# PyGhidra Mode - Native Python integration
./support/pyghidraRun
Before proceeding, please read through Ghidra’s Security Advisories as there are known security vulnerabilities within certain versions of Ghidra.

Extensibility and Customization

Users can extend Ghidra’s functionality through:
  • Custom Scripts: Automate repetitive tasks and create custom analysis workflows
  • Plugins: Add new features and integrate with external tools
  • Analyzers: Implement domain-specific analysis capabilities
  • Processors: Add support for new instruction sets
  • File Loaders: Support additional executable formats

Open Source Community

Ghidra is released under the Apache License 2.0, enabling:
  • Free use for commercial and non-commercial purposes
  • Community contributions and improvements
  • Integration with other security tools and workflows
  • Academic research and education
If you would like to contribute bug fixes, improvements, and new features back to Ghidra, please take a look at the Contributor’s Guide to see how you can participate in this open source project.

Next Steps

Ready to get started with Ghidra? Continue to the installation guide to set up your environment, or jump to the quickstart guide to begin analyzing your first binary.

Build docs developers (and LLMs) love

Get started for freeTalk to us