GhidraMCP
🥇GoldGhidraMCP is a powerful MCP Server designed for Ghidra, facilitating enhanced reverse engineering capabilities. With a strong Java foundation, it streamlines analysis workflows for security researchers and developers alike.
8,3255830Updated Today
Intermediate15 minutes to implementdevelopment
Saves ~180 min per use
Quick InstallView Source
claude install LaurieWired/GhidraMCPOverview
About This Skill
GhidraMCP is a powerful MCP Server designed for Ghidra, facilitating enhanced reverse engineering capabilities. With a strong Java foundation, it streamlines analysis workflows for security researchers and developers alike.
How to Use
1. **Install and Configure GhidraMCP** - Install Ghidra from [ghidra-sre.org](https://ghidra-sre.org/). - Clone the GhidraMCP repository: `git clone https://github.com/NationalSecurityAgency/GhidraMCP.git`. - Follow the setup instructions in the README to configure the MCP server. Ensure your Ghidra installation path is correctly specified in the MCP server config. 2. **Load the Binary** - Open Ghidra and import the target binary (e.g., `sample_app.exe` or `libvuln.so`). - Run auto-analysis to generate function signatures and cross-references. GhidraMCP will use this data for analysis. 3. **Run the Analysis** - Use the prompt template above to craft your query. Replace `[FILE_PATH]` with the path to your binary and `[SPECIFIC_VULNERABILITY_TYPE]` with the type of vulnerability (e.g., "heap overflow" or "use-after-free"). - Execute the query in your MCP client (e.g., Automa, ChatGPT, or a local MCP-compatible tool). 4. **Review and Act on the Report** - GhidraMCP will return a detailed report with disassembly, exploitability assessment, and mitigations. Focus on the "Exploitability Assessment" section to prioritize fixes. - Use the pseudo-code and disassembly to understand the root cause. For example, if the report identifies a `strcpy()` vulnerability, replace it with `strncpy()` or `snprintf()`. 5. **Validate Fixes** - Re-run the analysis after patching the binary to confirm the vulnerability is resolved. - Use dynamic analysis tools (e.g., Valgrind, AddressSanitizer) to verify the fix. GhidraMCP can be combined with these tools for comprehensive testing.
Use Cases
Integrate Ghidra with custom plugins to extend its functionality and tailor it to specific needs.
Automate repetitive reverse engineering tasks to save time and reduce manual errors.
Enhance security analysis workflows by streamlining the process of analyzing vulnerabilities in software.
Collaborate on Ghidra projects by sharing insights and findings with team members in real-time.
Tags
Setup & Installation
Quick Install
Terminal
claude install LaurieWired/GhidraMCPAlternative Install (Git Clone)
git clone https://github.com/LaurieWired/GhidraMCPRequirements
- Claude Code or compatible AI agent
Quick Start Guide
1
Install the Skill
Copy the install command above and run it in your terminal.
2
Open Your AI Agent
Launch Claude Code, Cursor, or your preferred AI coding agent.
3
Try It Out
Use the prompt template or examples below to test the skill.
4
Customize
Adapt the skill to your specific use case and workflow.
Usage Examples
Prompt Template
Use GhidraMCP to analyze the binary [FILE_PATH] for potential vulnerabilities. Focus on identifying [SPECIFIC_VULNERABILITY_TYPE] such as buffer overflows or memory corruption issues. Provide a detailed report including: 1) Disassembly of the vulnerable function, 2) Exploitability assessment, 3) Recommended mitigations, and 4) Pseudo-code of the vulnerable logic. Ensure the analysis includes cross-references to relevant CWE entries.
Example Output
### GhidraMCP Vulnerability Analysis Report
**Binary Analyzed:** `sample_app.exe` (MD5: `a1b2c3d4e5f6...`)
**Analysis Date:** 2024-05-15
**Vulnerability Type:** Stack-based Buffer Overflow (CWE-121)
---
#### 1. Vulnerable Function Disassembly
The following disassembly of `process_input()` (address `0x00401234`) reveals a classic stack-based buffer overflow:
```c
void process_input(char *user_input) {
char buffer[64]; // Allocated on the stack
// Vulnerable: No bounds checking on user_input
strcpy(buffer, user_input); // Dangerous function!
// ... rest of function ...
}
```
**Key Observations:**
- `buffer` is a 64-byte stack-allocated array.
- `strcpy()` is used without validating the length of `user_input`.
- The function lacks any input sanitization.
---
#### 2. Exploitability Assessment
**Exploitability Score:** HIGH (CVSS 8.5)
**Exploit Scenario:**
1. An attacker sends a 128-byte input string (e.g., `python -c "print('A'*128)"`).
2. The `strcpy()` operation overwrites the return address on the stack, redirecting execution to attacker-controlled code.
3. The attacker can achieve arbitrary code execution with the privileges of the vulnerable process.
**Proof of Concept (PoC) Input:**
```python
import struct
# Craft payload to overwrite return address
payload = b'A' * 64 # Fill buffer
payload += b'B' * 4 # Overwrite saved EBP
payload += struct.pack('<I', 0xdeadbeef) # Overwrite return address
# Send payload to vulnerable binary
with open('exploit.bin', 'wb') as f:
f.write(payload)
```
---
#### 3. Recommended Mitigations
| Mitigation | Implementation | Effectiveness |
|------------|----------------|---------------|
| **Replace `strcpy()`** | Use `strncpy(buffer, user_input, sizeof(buffer)-1)` | High |
| **Stack Canary** | Enable `-fstack-protector` in GCC | High |
| **Address Space Layout Randomization (ASLR)** | Enable ASLR in OS | Medium |
| **Data Execution Prevention (DEP)** | Enable NX bit in binary | High |
**Compiler Flags:**
```bash
gcc -fstack-protector -Wformat -Werror=format-security -z noexecstack -o safe_app sample_app.c
```
---
#### 4. Pseudo-Code of Vulnerable Logic
```c
function process_input(user_input):
buffer = allocate_stack(64) // 64-byte stack buffer
// No length validation
copy_string(buffer, user_input) // strcpy() equivalent
// Process buffer (e.g., log, parse)
log_message(buffer)
return
```
**Flow of Exploitation:**
1. User provides `user_input` of length > 64.
2. `copy_string()` overflows `buffer`, corrupting adjacent stack frames.
3. Return address is overwritten, allowing control flow hijacking.
---
#### 5. Additional Notes
- **CWE Reference:** [CWE-121: Stack-based Buffer Overflow](https://cwe.mitre.org/data/definitions/121.html)
- **Related Ghidra Analysis:**
- Cross-references to `strcpy` in the decompiler view.
- Stack frame visualization showing buffer layout.
- **Tools Used:** Ghidra 11.0.2, GhidraMCP 2.1.0, Python 3.11.
**Next Steps:**
1. Patch the binary using the recommended mitigations.
2. Re-test with GhidraMCP to confirm the vulnerability is resolved.
3. Perform fuzz testing (e.g., with AFL++) to identify similar issues.Apply to these tools
Browse all toolsIstio
Manage microservices traffic and enhance security with comprehensive observability features.
HashiCorp Nomad
Orchestrate workloads with multi-cloud support, job scheduling, and integrated service discovery features.
LogRocket
Monitor frontend performance and debug effectively with session replay and analytics.
Swagger
Design, document, and generate code for APIs with interactive tools for developers.
TeamCity
CI/CD automation with build configuration as code
Lightstep
Enhance performance monitoring and root cause analysis with real-time distributed tracing.
Compatible MCP servers
Browse all MCP servers
Find the right skills for your stack
Take a free 3-minute scan and get personalized AI skill recommendations.
Take free scan