# Ghidra — NSA Open-Source Reverse Engineering Framework

> A software reverse engineering suite developed by the NSA, providing disassembly, decompilation, and analysis tools for security researchers.

## Install

Save as a script file and run:

# Ghidra — NSA Open-Source Reverse Engineering Framework

## Quick Use
```bash
# Download from https://github.com/NationalSecurityAgency/ghidra/releases
# Requires JDK 17+
unzip ghidra_*.zip
cd ghidra_*
./ghidraRun
```

## Introduction
Ghidra is a software reverse engineering framework developed by the NSA and released as open source in 2019. It provides a full-featured suite of tools for analyzing compiled code across dozens of processor architectures, making it accessible to security researchers, malware analysts, and software auditors.

## What Ghidra Does
- Disassembles binaries for x86, ARM, MIPS, PowerPC, and 30+ other architectures
- Decompiles machine code into readable C-like pseudocode
- Supports collaborative multi-user reverse engineering via shared projects
- Provides a scripting API in Java and Python (Jython) for automation
- Analyzes firmware, malware, and proprietary file formats

## Architecture Overview
Ghidra is built in Java with a modular plugin architecture. The core consists of a processor-specification language (Sleigh) that defines instruction semantics, enabling the same decompiler to work across all supported architectures. Analysis runs in a pipeline of analyzers that annotate the program database with cross-references, data types, and function signatures.

## Self-Hosting & Configuration
- Download release ZIPs from the official GitHub releases page
- Requires JDK 17 or later on Windows, macOS, or Linux
- Configure memory allocation in support/launch.properties
- Set up a Ghidra Server for team collaboration with shared repositories
- Extend with custom analyzer plugins placed in the Extensions directory

## Key Features
- Built-in decompiler that produces readable pseudocode across architectures
- Version tracking to diff two binaries and identify patch changes
- Extensible via headless analyzer mode for batch processing
- Function ID database for automatic library function recognition
- DWARF and PDB debug symbol ingestion

## Comparison with Similar Tools
- **IDA Pro** — commercial industry standard with faster UI, but costs thousands per license
- **Binary Ninja** — modern commercial alternative with cleaner API but smaller architecture support
- **radare2/Cutter** — open-source CLI-first framework, steeper learning curve
- **Hopper** — lightweight macOS disassembler for quick triage, less powerful decompiler

## FAQ
**Q: Is Ghidra truly free for commercial use?**
A: Yes. Ghidra is released under the Apache 2.0 license and can be used for any purpose including commercial work.

**Q: How does the decompiler compare to IDA's Hex-Rays?**
A: Ghidra's decompiler handles most architectures well. Hex-Rays may produce cleaner output for x86/ARM, but Ghidra covers more platforms out of the box.

**Q: Can I automate analysis without the GUI?**
A: Yes. Ghidra provides a headless analyzer that runs scripts from the command line for batch processing.

**Q: Does Ghidra support debugging?**
A: Ghidra 10.x added a debugger module supporting GDB and WinDbg backends for live debugging sessions.

## Sources
- https://github.com/NationalSecurityAgency/ghidra
- https://ghidra-sre.org/

---
Source: https://tokrepo.com/en/workflows/asset-a498e727
Author: Script Depot