Skip to main content

Overview

This quickstart guide will walk you through the essential steps of using Ghidra:
  1. Launching Ghidra
  2. Creating a new project
  3. Importing a binary file
  4. Running analysis
  5. Navigating the CodeBrowser interface
This guide assumes you have already installed Ghidra and JDK 21. If not, please refer to the Installation Guide first.

Step 1: Launch Ghidra

1

Open Terminal or Command Prompt

Navigate to your Ghidra installation directory:
cd <GhidraInstallDir>
2

Run the Launch Script

# Linux/macOS
./ghidraRun

# Windows
ghidraRun.bat
The Ghidra Project Manager window will appear after a brief initialization period.

Step 2: Create a New Project

1

Start Project Creation

In the Ghidra Project Manager window:
  • Click File → New Project
  • Or press Ctrl+N (Windows/Linux) or Cmd+N (macOS)
2

Choose Project Type

Select Non-Shared Project and click Next
Non-Shared projects are stored locally on your machine. Shared projects use a Ghidra Server for team collaboration.
3

Configure Project Settings

  • Project Directory: Choose where to store your project files
  • Project Name: Enter a name (e.g., “MyFirstProject”)
  • Click Finish

Step 3: Import a Binary

1

Start Import Process

In the Project Manager window:
  • Click File → Import File
  • Or press I
  • Or drag and drop a file into the project window
2

Select Binary File

Choose an executable file to analyze:
  • Windows: .exe, .dll, .sys
  • Linux: ELF executables
  • macOS: Mach-O executables
  • Or any raw binary file
Click Select File To Import
3

Review Import Summary

Ghidra will automatically detect the file format. Review the import details:
  • Format (PE, ELF, Mach-O, etc.)
  • Language (processor architecture)
  • Compiler (if detected)
Click OK to proceed
4

Import Results

After import completes, click OK on the import results dialogYour binary now appears in the project file listing
# Import a system binary
ls /bin/ls  # Verify file exists
# Then import /bin/ls through Ghidra GUI

Step 4: Open in CodeBrowser and Analyze

1

Open CodeBrowser

Double-click the imported file in the project listingThe Ghidra CodeBrowser tool will open
2

Start Analysis

You’ll be prompted: “Would you like to analyze [filename] now?”
  • Click Yes
  • Or click No to analyze later via Analysis → Auto Analyze
3

Configure Analysis Options

The Analysis Options dialog appears with recommended analyzers pre-selected:Common analyzers include:
  • Decompiler Parameter ID
  • Function Start Search
  • Stack
  • Reference
  • Data Reference
  • Disassemble Entry Points
  • Subroutine References
For your first analysis, the default options are fine. Click Analyze to proceed.
4

Wait for Analysis to Complete

Analysis progress is shown in the bottom-right corner
  • Small binaries: seconds to minutes
  • Large binaries: several minutes to hours
You can work with the binary during analysis, but some features may be limited

Step 5: Navigate the CodeBrowser Interface

The CodeBrowser is divided into several key windows:

Main Windows

Listing Window

Center-left: Shows disassembly with addresses, bytes, mnemonics, and operands
  • Assembly instructions
  • Function boundaries
  • Comments and labels

Decompiler Window

Center-right: Shows decompiled C-like pseudocode
  • High-level code representation
  • Variable names and types
  • Control flow structures

Program Trees

Top-left: Hierarchical view of program structure
  • Memory blocks
  • Imports/Exports
  • Functions

Symbol Tree

Bottom-left: Lists all symbols, functions, and labels
  • Navigate to functions
  • Find global variables
  • View imports/exports
1

Navigate to Entry Point

The entry point is typically displayed automatically after analysisOr navigate manually:
  • Press G (Go To)
  • Enter entry or an address
  • Click OK
2

Follow Code References

Click on a function call or data reference:
  • Double-click to jump to the target
  • Right-click for more options
  • Use Back arrow to return (or Alt+Left)
3

View Function Graph

To see a visual representation of the current function:
  • Press Ctrl+F or click the graph icon
  • Displays control flow as a graph with basic blocks
4

Search for Strings

Find interesting strings in the binary:
  • Go to Search → For Strings
  • Review the strings window
  • Double-click a string to see where it’s referenced

Essential Keyboard Shortcuts

ShortcutAction
GGo to address/symbol
LRename label/function
CClear code
DDisassemble
FCreate function
;Add comment (pre or post)
Ctrl+FShow function graph
Ctrl+Shift+EEdit function signature
XShow cross-references

Basic Analysis Workflow Example

1

Find the Main Function

  1. Look in the Symbol Tree under Functions
  2. Search for main, _main, or WinMain
  3. Double-click to navigate to the function
2

Examine the Decompiler Output

Review the decompiled pseudocode:
  • Understand the function’s logic
  • Identify interesting function calls
  • Note data references
3

Rename Variables and Functions

Make the code more readable:
  • Click on a variable or function name
  • Press L to rename
  • Enter a descriptive name
  • Press Enter
4

Add Comments

Document your findings:
  • Position cursor at an instruction
  • Press ; for pre-comment or Shift+; for post-comment
  • Type your comment
  • Press Enter
5

Follow Interesting Calls

Investigate function calls:
  • Double-click on a function call
  • Analyze the called function
  • Use Back to return
6

Check Cross-References

See where code or data is used:
  • Click on a function or variable
  • Press X to view cross-references
  • Navigate to interesting references
Always save your work! Press Ctrl+S or click File → Save regularly to preserve your analysis, comments, and renamed symbols.

Running Scripts

Ghidra includes powerful scripting capabilities:
1

Open Script Manager

Click Window → Script Manager or press F11
2

Browse Available Scripts

Ghidra includes hundreds of pre-built scripts:
  • Search by name or description
  • Organized by category
3

Run a Script

Select a script and click the green Run buttonScripts can automate tasks like:
  • Finding patterns
  • Applying labels
  • Exporting data
  • Custom analysis

Next Steps

Now that you’ve completed your first analysis, explore more advanced features:
  • Function Comparison: Compare functions across binaries
  • Data Type Manager: Create custom structures and types
  • Debugging: Use the integrated debugger for dynamic analysis
  • BSim: Find similar functions across multiple binaries
  • Custom Scripts: Write your own Python or Java scripts
  • Version Tracking: Track changes between binary versions
For comprehensive documentation, tutorials, and reference materials, check the docs directory in your Ghidra installation or access Help → Topics within Ghidra.

Additional Resources

  • Cheat Sheet: <GhidraInstallDir>/docs/CheatSheet.html
  • Ghidra Class Materials: <GhidraInstallDir>/docs/GhidraClass/
  • API Documentation: <GhidraInstallDir>/docs/GhidraAPI_javadoc.zip
  • Community: GitHub Discussions

Build docs developers (and LLMs) love

Get started for freeTalk to us