ghidra
These are commands I use with agents, mostly Claude
npx skills add https://github.com/mitsuhiko/agent-stuff --skill ghidraSKILL.md
Ghidra Headless Analysis Skill
Perform automated reverse engineering using Ghidra's analyzeHeadless tool. Import binaries, run analysis, decompile to C code, and extract useful information.
Quick Reference
| Task | Command |
|---|---|
| Full analysis with all exports | ghidra-analyze.sh -s ExportAll.java -o ./output binary |
| Decompile to C code | ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary |
| List functions | ghidra-analyze.sh -s ExportFunctions.java -o ./output binary |
| Extract strings | ghidra-analyze.sh -s ExportStrings.java -o ./output binary |
| Get call graph | ghidra-analyze.sh -s ExportCalls.java -o ./output binary |
| Export symbols | ghidra-analyze.sh -s ExportSymbols.java -o ./output binary |
| Find Ghidra path | find-ghidra.sh |
Prerequisites
- Ghidra must be installed. On macOS:
brew install --cask ghidra - Java (OpenJDK 17+) must be available
The skill automatically locates Ghidra in common installation paths. Set GHIDRA_HOME environment variable if Ghidra is installed in a non-standard location.
Main Wrapper Script
./scripts/ghidra-analyze.sh [options] <binary>
Wrapper that handles project creation/cleanup and provides a simpler interface to analyzeHeadless.
Options:
-o, --output <dir>- Output directory for results (default: current dir)-s, --script <name>- Post-analysis script to run (can be repeated)-a, --script-args <args>- Arguments for the last specified script--script-path <path>- Additional script search path-p, --processor <id>- Processor/architecture (e.g.,x86:LE:32:default)-c, --cspec <id>- Compiler spec (e.g.,gcc,windows)--no-analysis- Skip auto-analysis (faster, but less info)--timeout <seconds>- Analysis timeout per file--keep-project- Keep the Ghidra project after analysis--project-dir <dir>- Directory for Ghidra project (default: /tmp)--project-name <name>- Project name (default: auto-generated)-v, --verbose- Verbose output
Built-in Export Scripts
ExportAll.java
Comprehensive export - runs all other exports and creates a summary. Best for initial analysis.
Output files:
{name}_summary.txt- Overview: architecture, memory sections, function counts{name}_decompiled.c- All functions decompiled to C{name}_functions.json- Function list with signatures and calls{name}_strings.txt- All strings found{name}_interesting.txt- Functions matching security-relevant patterns
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
ExportDecompiled.java
Decompile all functions to C pseudocode.
Output: {name}_decompiled.c
./scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe
ExportFunctions.java
Export function list as JSON with addresses, signatures, parameters, and call relationships.
Output: {name}_functions.json
{
"program": "example.exe",
"architecture": "x86",
"functions": [
{
"name": "main",
"address": "0x00401000",
"size": 256,
"signature": "int main(int argc, char **argv)",
"returnType": "int",
"callingConvention": "cdecl",
"isExternal": false,
"parameters": [{"name": "argc", "type": "int"}, ...],
"calls": ["printf", "malloc", "process_data"],
"calledBy": ["_start"]
}
]
}
ExportStrings.java
Extract all strings (ASCII, Unicode) with addresses.
Output: {name}_strings.json
./scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe
ExportCalls.java
Export function call graph showing caller/callee relationships.
Output: {name}_calls.json
Includes:
- Full call graph
- Potential entry points (functions with no callers)
- Most frequently called functions
ExportSymbols.java
Export all symbols: imports, exports, and internal symbols.
Output: {name}_symbols.json
Common Workflows
Analyze an Unknown Binary
# Create output directory
mkdir -p ./analysis
# Run comprehensive analysis
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary
# Review the summary first
cat ./analysis/unknown_binary_summary.txt
# Look at interesting patterns (crypto, network, dangerous functions)
cat ./analysis/unknown_binary_interesting.txt
# Check specific decompiled functions
grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c
Analyze Firmware
# Specify ARM architecture for firmware
./scripts/ghidra-analyze.sh \
-p "ARM:LE:32:v7" \
-s ExportAll.java \
-o ./firmware_analysis \
firmware.bin
Quick Function Listing
# Just get function names and addresses (faster)
./scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program
# Parse with jq
cat program_functions.json | jq '.functions[] | "\(.address): \(.name)"'
Find Specific Patt
...
Repository
