For the version using a Claude-inspired Orchestrator, see https://github.com/llnl/OGhidra/tree/orchestrator
OGhidra bridges Large Language Models with Ghidra's reverse engineering platform, enabling AI-driven binary analysis through natural language. Analyze binaries conversationally, automate complex workflows, and maintain complete privacy with local AI models.
YouTube Setup Tutorial
OGhidra enhances Ghidra with AI capabilities, allowing you to:
- Natural Language Analysis - Ask questions about functions, strings, imports in plain English
- Automated Workflows - Rename functions, detect patterns, generate comprehensive reports
- Local AI Models - Complete privacy with models running on your hardware (Ollama)
- Cloud AI Support - Connect to external APIs (OpenAI, Google Gemini, Anthropic Claude)
- Malware Detection - Automatic pattern matching for 12+ evasion and injection techniques
- Smart Enumeration - Build queryable knowledge graphs from binary analysis
- Multi-Instance Analysis - Run multiple Ghidra instances for parallel analysis
graph TD
A[User Query] --> B[Planning Phase]
B --> C{Execution Phase}
C -- Tool Calls --> D[Ghidra/LLM]
D --> C
C --> E[Review Phase]
E -- Agentic Loop --> B
E --> F[Final Response]
style E fill:#f9f,stroke:#333,stroke-width:2px
style B fill:#bbf,stroke:#333,stroke-width:2px
Agentic Loop: OGhidra uses an adaptive planning system. After each execution cycle, results are reviewed and the AI can choose to gather more information or refine its analysis before providing the final response.
- Python 3.12+ - Check version:
python --version - Ghidra 12.0.3 (Recommended) - Download from Ghidra Releases
- Minimum supported: Ghidra 11.0.3+
- Tested with: Ghidra 11.0.3, 11.3.2, 12.0.2, 12.0.3
- Java 17+ - Required for Ghidra:
java -version - Ollama (for local models) - Install from ollama.com
# Clone repository
git clone https://github.com/LLNL/OGhidra.git
cd OGhidra
# Install dependencies (choose one)
uv sync # Using UV (recommended)
pip install -r requirements.txt # Using pip
# Configure environment
cp .env.example .env
# Edit .env with your settingsThe OGhidraMCP plugin supports both Ghidra 11.3.2+ and Ghidra 12.0.3 (recommended). There's also a YouTube video tutorial: https://www.youtube.com/watch?v=hBD92FUgR0Y
As a developer, you'll need to build the GhidraMCP extension before installing it in Ghidra:
-
Prerequisites:
- Ghidra 12.0.3 (or compatible version) installed
- Gradle (run
gradle -vto verify it's installed) - Java 21 (required for Ghidra 12.0.3)
-
Option 1: Using the automated build scripts:
-
Windows:
# Set the path to your Ghidra installation (will attempt to find last run copy of Ghidra if not set) set GHIDRA_INSTALL_DIR=C:\path\to\ghidra_12.0_PUBLIC # Run the build script build_ghidra_plugin.bat
-
Unix/Linux/Mac:
# Set the path to your Ghidra installation (will attempt to find last run copy of Ghidra if not set) export GHIDRA_INSTALL_DIR=/path/to/ghidra_12.0_PUBLIC # Run the build script (make it executable first if needed) chmod +x build_ghidra_plugin.sh ./build_ghidra_plugin.sh
-
-
Option 2: Manual build process:
-
Create/update
OGhidraMCP/gradle.propertieswith:GHIDRA_INSTALL_DIR=C:/path/to/ghidra_12.0_PUBLIC -
Navigate to the OGhidraMCP directory and run the build:
cd OGhidraMCP gradle buildExtension
-
-
Locate the built extension:
- The extension zip file is created in
OGhidraMCP/dist/ - The filename will be something like
ghidra_12.0_PUBLIC_YYYYMMDD_OGhidraMCP.zip
- The extension zip file is created in
Once you've successfully built the extension:
-
Install in Ghidra:
- Open Ghidra -> File -> Install Extensions
- Click Add Extension (green plus icon)
- Browse to your
OGhidraMCP/dist/directory - Select the newly built extension zip file (e.g.,
ghidra_12.0_PUBLIC_YYYYMMDD_OGhidraMCP.zip) - Restart Ghidra
-
Enable the plugin:
- Open a Ghidra project
- File → Configure → Enable Developer
- Check the box to enable
- The server will start on
http://localhost:8080/methods
YOU NEED TO HAVE CODE BROWSER OPEN
Note: The plugin is compatible with Ghidra 11.0.3+ and optimized for Ghidra 12.0.3
# For Ollama (local models)
ollama pull gemma3:27b # Good balance (20GB RAM)
ollama pull nomic-embed-text # Embedding model for RAG
# Alternative models
ollama pull gpt-oss:120b # High quality (80GB RAM)
ollama pull devstral-2:123b # High quality (80GB RAM)
ollama pull devstral-2:123b-cloud # Cloud Model # GUI Mode (recommended)
uv run main.py --ui
# Interactive CLI
uv run main.py --interactive
# Test connection
healthEdit .env to configure your AI provider:
LLM_PROVIDER=ollama
OLLAMA_BASE_URL=http://localhost:11434/
OLLAMA_MODEL=gemma3:27b
OLLAMA_EMBEDDING_MODEL=nomic-embed-textLLM_PROVIDER=external
EXTERNAL_PROVIDER=google
EXTERNAL_API_KEY=your-api-key-here
EXTERNAL_MODEL=gemini-3.1-flash-lite-preview
EXTERNAL_EMBEDDING_MODEL=gemini-embedding-001LLM_PROVIDER=custom_api
CUSTOM_API_URL=https://api.example.com/v1/chat/completions
CUSTOM_API_KEY=your-api-key-here
CUSTOM_API_MODEL=your-model-name
CUSTOM_API_EMBEDDING_MODEL=your-embedding-modelAdjust based on your model's context window:
# Context budget in tokens (adjust to your model's limit)
CONTEXT_BUDGET=100000 # 100K tokens for mid-size models
# 200K+ for frontier models
# Execution settings
MAX_EXECUTION_STEPS=5 # Steps per planning cycle
MAX_AGENTIC_CYCLES=3 # How many plan-execute-review loops
AGENTIC_LOOP_ENABLED=true # Enable adaptive replanningOne-click access to common reverse engineering tasks:
| Tool | Description |
|---|---|
| Analyze Current Function | Deep dive into selected function's behavior |
| Rename Current Function | AI suggests meaningful names based on analysis |
| Rename All Functions | Bulk rename with Smart/Full/Rename-Only options |
| Analyze Imports | Identify libraries and external dependencies |
| Analyze Strings | Find URLs, credentials, configuration data |
| Generate Report | Comprehensive security assessment |
Set specialized analysis goals:
# In GUI: Use "Task Mode" dropdown
# In CLI: set task_mode <mode>
task_mode malware # Malware analysis with pattern detection
task_mode vuln # Vulnerability research focus
task_mode general # General reverse engineeringAutomatic detection of 12+ malware patterns:
- Evasion: PEB Walking, Dynamic API Resolution, Anti-Debug, Anti-VM
- Injection: Process Injection (Local/Remote)
- Persistence: Registry, File System Hooks
- Obfuscation: String Encoding, API Hashing
- Privilege Escalation: Token manipulation, UAC bypass
Patterns trigger automatic alerts in the AI's context with MITRE ATT&CK mappings.
Build rich, queryable knowledge from binary analysis:
# Enumerate all functions with AI summaries
# Choose from:
- Rename Only: Only process generic function names
- Smart Enumeration: Focus on security-relevant functions
- Full Enumeration: Analyze every function in the binary
Features:
- Structured metadata extraction (LOC, complexity, operations)
- Semantic search optimization
- Intent-based context assembly
- Multi-vector support for precise retrieval
Save and restore analysis sessions:
# Save progress
File → Save Session
# Load previous work
File → Load Session
# Auto-save after bulk operations
# Sessions include:
- Analyzed functions with summaries
- RAG vectors for semantic search
- Performance statistics
- UI state- Load binary in Ghidra and open in CodeBrowser
- Enable OGhidraMCP plugin (File → Configure)
- Launch OGhidra:
uv run main.py --ui - Set task mode: Select "malware" from dropdown
- Run Smart Enumeration: Click "Rename All Functions" → "Smart Enumeration"
- Ask questions: "What are the high-risk functions?" or "Show me network communication"
# In GUI: Click "Generate Report" button
# Report includes:
- Executive Summary
- Function Inventory (renamed functions with behavior)
- Security Analysis (high-risk functions, patterns)
- Import Analysis
- String Analysis
- Recommendations- Navigate to function in Ghidra
- Click "Analyze Current Function"
- Ask follow-up questions:
- "What does this function do?"
- "Is this vulnerable to buffer overflow?"
- "What other functions call this?"
OGhidra uses vector embeddings for semantic search over analyzed functions:
# Enable in .env
RESULT_CACHE_ENABLED=true
TIERED_CONTEXT_ENABLED=trueBenefits:
- Remember previous analysis across sessions
- Find similar functions semantically
- Reduce redundant LLM calls
Tiered context compression keeps relevant information:
CURRENT_LOOP_MAX_CHARS=2000 # Recent: full detail
PREV_LOOP_MAX_CHARS=400 # Previous: summaries
OLDER_LOOP_MAX_CHARS=100 # Older: references onlyTrack all AI interactions for debugging:
LLM_LOGGING_ENABLED=true
LLM_LOG_FILE=logs/llm_interactions.log
LLM_LOG_FORMAT=json# Verify plugin is loaded
# Open up codebrowser!
# Check server is running
curl http://localhost:8080/methods# Verify Ollama is running
ollama list
# Check connectivity
curl http://localhost:11434/api/tags
# Restart Ollama service
ollama serve# Reduce context budget
CONTEXT_BUDGET=50000
# Enable compaction
COMPACTION_ENABLED=true
COMPACTION_THRESHOLD=0.75- Use smaller models: Switch to
gemma3:9b - Reduce parallel workers: Set
max_workers=2in bulk operations - Disable vector embeddings:
RESULT_CACHE_ENABLED=false - Increase request delay:
CUSTOM_API_REQUEST_DELAY=2.0
┌─────────────────────────────────────────────────────────────┐
│ OGhidra UI │
│ (GUI / Interactive CLI) │
└────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Bridge (src/bridge.py) │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ • Agentic Loop: Plan → Execute → Review → Replan │ │
│ │ • Tool Router: Ghidra client, LLM client, CAG manager │ │
│ │ • Context Manager: Budget allocation, compression │ │
│ └────────────────────────────────────────────────────────┘ │
└───────────┬────────────────────────┬────────────────────────┘
│ │
▼ ▼
┌───────────────────────┐ ┌─────────────────────────┐
│ Ghidra Client │ │ LLM Clients │
│ • GhidraMCP Plugin │ │ • Ollama (local) │
│ • Binary operations │ │ • External APIs │
│ • Decompilation │ │ • Custom endpoints │
└───────────────────────┘ └─────────────────────────┘
│ │
└────────────┬───────────┘
▼
┌─────────────────────────────────────────────────────────────┐
│ CAG Manager (Knowledge System) │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ • Vector Store: Semantic search over functions │ │
│ │ • Pattern Detector: 12+ malware techniques │ │
│ │ • Metadata Extractor: Structured function analysis │ │
│ │ • Session Store: Persistent analysis state │ │
│ └────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
We welcome contributions! Areas of interest:
- New malware patterns for detection
- LLM provider integrations
- UI/UX improvements
- Performance optimizations
- Documentation and examples
See CODE_OF_CONDUCT.md for community guidelines.
If you use OGhidra in your research, please cite:
@software{oghidra2025,
title = {OGhidra: AI-Powered Reverse Engineering with Ghidra},
author = {Enoch Wang},
year = {2025},
url = {https://github.com/LLNL/OGhidra}
}OGhidra builds upon excellent open-source projects:
- Ghidra - NSA's reverse engineering platform
- Ollama - Local LLM runtime
- LaurieWired/GhidraMCP - Original Ghidra MCP plugin
- starsong/GhydraMCP - Enhanced MCP implementation
OGhidra is distributed under the terms of the BSD 3-Clause license with a commercial license alternative.
See LICENSE and NOTICE.md for details.
LLNL-CODE-2013290
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Just Email Me Directly: enochsurge@gmail.com