LLMpediaThe first transparent, open encyclopedia generated by LLMs

Ghidra

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: VMware Workstation Hop 5
Expansion Funnel Raw 90 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted90
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Ghidra
Ghidra
Ryan Kurtz · Apache License 2.0 · source
NameGhidra
DeveloperNational Security Agency
Released2019
Programming languageJava, C++
Operating systemWindows, macOS, Linux
LicenseApache License 2.0

Ghidra is a software reverse engineering framework released as open-source by the National Security Agency in 2019. It provides disassembly, decompilation, and binary analysis capabilities for security researchers, incident responders, and malware analysts from organizations such as the Department of Homeland Security, Microsoft, Google, Apple Inc., and private firms. Ghidra integrates with many established tools and techniques used by practitioners connected to projects like IDA Pro, Radare2, Binary Ninja, Volatility, and Metasploit Framework.

Overview

Ghidra is a modular platform offering a graphical user interface and scripting environment that supports interactive and automated reverse engineering workflows employed by analysts at institutions like the FBI, Central Intelligence Agency, Department of Defense, National Institute of Standards and Technology, and academic groups affiliated with Carnegie Mellon University and Massachusetts Institute of Technology. The tool emphasizes extensibility through plugins and APIs, enabling contributions from communities around GitHub, Apache Software Foundation-style ecosystems, and independent researchers such as those who present findings at conferences like Black Hat, DEF CON, SANS Institute, and USENIX. Its licensing under the Apache License encourages integration by vendors such as Cisco Systems, CrowdStrike, Palo Alto Networks, and open projects like The Honeynet Project.

History and Development

Development originated within the National Security Agency and was publicly announced at an event featuring representatives from agencies like the Office of the Director of National Intelligence and partners in the Five Eyes intelligence alliance. After the 2019 open-source release, the codebase attracted pull requests and forks on GitHub from contributors associated with organizations including Google Project Zero, CERT Coordination Center, Trend Micro, Kaspersky Lab, and university research groups from Stanford University, University of California, Berkeley, and Royal Holloway University of London. Subsequent updates have been discussed and demonstrated at conferences like RSA Conference and BSides, and documented in technical analyses published in journals such as ACM Transactions on Privacy and Security and proceedings from IEEE Symposium on Security and Privacy.

Architecture and Features

Ghidra's architecture combines a Java-based user interface and modular plugin system with native components implemented in C++ for performance-sensitive tasks. Central components include a disassembler, a decompiler that produces high-level pseudo-C code, and a program database storing metadata and symbol information used by analysts at organizations like Europol and Interpol. The platform supports scripting through languages such as Python (programming language) (via Jython), Java (programming language), and community-contributed adapters for JNI integrations. Features mirror capabilities found in commercial tools used by analysts at Mandiant and Symantec Corporation: graph views, cross-references, function signature recovery, calling convention heuristics, and plugin APIs used in workflows involving YARA rules, Suricata, and Snort indicators.

Supported Platforms and Languages

Ghidra runs on multiple operating systems including Microsoft Windows, macOS, and various Linux distributions common in research labs at institutions like Los Alamos National Laboratory and Lawrence Berkeley National Laboratory. It can analyze binaries for processor architectures and instruction sets such as x86 architecture, x86-64, ARM architecture, AArch64, MIPS architecture, PowerPC, SPARC, and others supported in firmware analysis by teams at ESET and Check Point Software Technologies. File formats and executable types include formats widely used in enterprise and embedded systems such as Portable Executable, ELF (file format), and Mach-O, enabling reverse engineering tasks relevant to vendors like Intel Corporation, Advanced Micro Devices, and embedded vendors such as STMicroelectronics.

Use Cases and Adoption

Practitioners employ Ghidra for malware analysis in incident response engagements conducted by firms like CrowdStrike, FireEye, and government CERT teams; vulnerability research by security teams at Google, Microsoft, and open-source projects such as Debian; firmware reverse engineering for products from Qualcomm, NVIDIA, and Broadcom; and academic instruction in courses at University of Oxford, University of Cambridge, and ETH Zurich. It has been used in published case studies on campaigns attributed to actors tied to geopolitical events involving entities like Fancy Bear and Lazarus Group, and incorporated into bespoke toolchains alongside automation projects like Cuckoo Sandbox and orchestration platforms from TheHive Project.

Community and Development Model

Ghidra's open-source release fostered a community centered on GitHub repositories, mailing lists, and community forums where contributors from companies such as Red Hat, VMware, and BlackBerry submit patches, plugins, and language modules. Development follows an open collaboration model with issue tracking, continuous integration practices common at organizations like Canonical and Mozilla Foundation, and periodic releases coordinated with lights-on engineering teams at the originating agency. Training materials, workshops, and tutorials are published by independent educators and organizations including SANS Institute, Offensive Security, and university research groups, while academic publications and conference presentations continue to analyze and extend the platform.

Category:Reverse engineering software