/ Verzeichnis / Playground / GhidrAssistMCP
← Alle Server ↗ GitHub
● Community symgraph ⚡ Sofort

GhidrAssistMCP

von symgraph · symgraph/GhidrAssistMCP

35 MCP tools bridging Ghidra's reverse engineering platform with AI — decompile, analyze functions, trace xrefs, and rename symbols.

GhidrAssistMCP is a Ghidra extension that implements a full MCP server with 35 built-in tools, 6 resources, and 7 prompts for reverse engineering tasks. It supports dual HTTP transports (SSE and Streamable), multi-program analysis, result caching, and asynchronous task management. Requires Ghidra 11.4+ and works with any MCP client.

▶ Demo ansehen 📦 Installieren 💡 Anwendungsfälle

Warum nutzen

Hauptfunktionen

Live-Demo

In der Praxis

ghidrassistmcp.replay ▶ bereit
0/0

Installieren

Wählen Sie Ihren Client

~/Library/Application Support/Claude/claude_desktop_config.json  · Windows: %APPDATA%\Claude\claude_desktop_config.json
{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Öffne Claude Desktop → Settings → Developer → Edit Config. Nach dem Speichern neu starten.

~/.cursor/mcp.json · .cursor/mcp.json
{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Cursor nutzt das gleiche mcpServers-Schema wie Claude Desktop. Projektkonfiguration schlägt die globale.

VS Code → Cline → MCP Servers → Edit
{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Klicken Sie auf das MCP-Servers-Symbol in der Cline-Seitenleiste, dann "Edit Configuration".

~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Gleiche Struktur wie Claude Desktop. Windsurf neu starten zum Übernehmen.

~/.continue/config.json
{
  "mcpServers": [
    {
      "name": "ghidrassistmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  ]
}

Continue nutzt ein Array von Serverobjekten statt einer Map.

~/.config/zed/settings.json
{
  "context_servers": {
    "ghidrassistmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/symgraph/GhidrAssistMCP"
        ]
      }
    }
  }
}

In context_servers hinzufügen. Zed lädt beim Speichern neu.

claude mcp add ghidrassistmcp -- TODO 'See README: https://github.com/symgraph/GhidrAssistMCP'

Einzeiler. Prüfen mit claude mcp list. Entfernen mit claude mcp remove.

Anwendungsfälle

Praxisnahe Nutzung: GhidrAssistMCP

How to analyze an unknown binary with AI assistance in Ghidra

👤 Security researchers and malware analysts working in sandboxed environments ⏱ ~60 min advanced

Wann einsetzen: You have a binary to analyze and want AI to help understand its functionality.

Voraussetzungen
  • Ghidra 11.4+ with GhidrAssistMCP installed — Download release ZIP, install via File → Install Extensions
  • MCP client (e.g., Claude Desktop) — Configure to connect to GhidrAssistMCP's HTTP endpoint
Ablauf
  1. Get binary overview
    Get the binary info and list all imports. What libraries does this binary depend on and what do the imports suggest about its functionality?✓ Kopiert
    → Binary metadata with categorized import analysis
  2. Analyze key functions
    Find functions that reference network-related strings. Decompile the most interesting one and explain what it does.✓ Kopiert
    → Decompiled C code with annotated explanation
  3. Rename and annotate
    Based on our analysis, rename the functions we've identified with descriptive names and add comments explaining their purpose.✓ Kopiert
    → Confirmation of renamed symbols

Ergebnis: A partially annotated binary with key functions identified, named, and documented.

Fallstricke
  • Large binaries with thousands of functions overwhelm the analysis — Start with imports and strings to identify interesting functions, then focus on those
Kombinieren mit: filesystem

Solve a CTF binary reverse engineering challenge with Ghidra and AI

👤 CTF participants tackling reverse engineering challenges ⏱ ~45 min intermediate

Wann einsetzen: You have a CTF binary that needs to be reversed to find a flag.

Voraussetzungen
  • Ghidra with GhidrAssistMCP — Install the extension and load the challenge binary
Ablauf
  1. Find the main logic
    Search for functions that reference 'flag', 'correct', 'wrong', or 'password'. Decompile the most relevant one.✓ Kopiert
    → Decompiled function with validation logic
  2. Trace the check
    Follow the xrefs from the validation function. What data does it compare against and what transformation is applied to the input?✓ Kopiert
    → Detailed analysis of the check algorithm with data references

Ergebnis: Understanding of the validation logic sufficient to derive the flag.

Fallstricke
  • Obfuscated binaries resist straightforward decompilation — Use get_basic_blocks to understand control flow, then analyze blocks individually

Kombinationen

Mit anderen MCPs für 10-fache Wirkung

ghidrassistmcp + filesystem

Export analysis results and annotated code to files for reporting

Export the decompiled code and our annotations for the network functions to a report file.✓ Kopiert

Werkzeuge

Was dieses MCP bereitstellt

WerkzeugEingabenWann aufrufenKosten
get_binary_info none Get metadata about the loaded binary 0
get_functions offset?: int, limit?: int List functions in the binary 0
analyze_function address: str Decompile and analyze a specific function 0
search_strings pattern: str Search for strings in the binary 0
xrefs address: str, action: str Find cross-references to/from an address 0
rename_symbol old_name: str, new_name: str Rename a function or variable 0
get_imports none List all imported functions 0
get_basic_blocks function_address: str Get control flow blocks for a function 0

Kosten & Limits

Was der Betrieb kostet

API-Kontingent
N/A — fully local
Tokens pro Aufruf
200–2000 tokens (decompilation results can be large)
Kosten in €
Free — both Ghidra and GhidrAssistMCP are free
Tipp
Use search_functions_by_name and search_strings to narrow targets before decompiling.

Sicherheit

Rechte, Secrets, Reichweite

Credential-Speicherung: N/A
Datenabfluss: Local only — Ghidra analysis stays on your machine

Fehlerbehebung

Häufige Fehler und Lösungen

Plugin not showing in Ghidra

Ensure you installed the extension ZIP via File → Install Extensions, then restarted Ghidra. Enable via File → Configure → Configure Plugins.

Prüfen: Search for 'GhidrAssistMCP' in the plugin configuration dialog
MCP client can't connect

Check the GhidrAssistMCP port in the plugin settings. Ensure no firewall blocks the connection.

Prüfen: Check the Ghidra console for MCP server startup messages
Decompilation fails for a function

Some functions (especially obfuscated ones) may fail to decompile. Try disassembly instead, or fix the function boundaries with define_func.

Prüfen: Use get_code as a fallback

Alternativen

GhidrAssistMCP vs. andere

AlternativeWann stattdessenKompromiss
reverse-engineering-assistantYou want a tool-driven approach optimized for LLM interaction with focus on context managementFewer tools but designed to reduce LLM hallucinations
ida-pro-mcpYou prefer IDA Pro over Ghidra for binary analysisIDA Pro is commercial ($) but has broader format support and faster analysis

Mehr

Ressourcen

📖 Offizielle README auf GitHub lesen

🐙 Offene Issues ansehen

🔍 Alle 400+ MCP-Server und Skills durchsuchen