GhidrAssistMCP MCP — Use Cases, Install & Live Demo

Why use it

Key features

35 MCP tools for binary analysis, function review, xrefs, renaming, and structure analysis
6 MCP resources: programs, functions, strings, imports, exports, segments
7 built-in prompts for common reverse engineering workflows
Multi-program and multi-window support with intelligent focus tracking
Result caching and async task management for large analyses

Live Demo

What it looks like in practice

ghidrassistmcp.replay ▶ ready

0/0

Install

Pick your client

~/Library/Application Support/Claude/claude_desktop_config.json · Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Open Claude Desktop → Settings → Developer → Edit Config. Restart after saving.

~/.cursor/mcp.json · .cursor/mcp.json

{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Cursor uses the same mcpServers schema as Claude Desktop. Project config wins over global.

VS Code → Cline → MCP Servers → Edit

{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Click the MCP Servers icon in the Cline sidebar, then "Edit Configuration".

~/.codeium/windsurf/mcp_config.json

{
  "mcpServers": {
    "ghidrassistmcp": {
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  }
}

Same shape as Claude Desktop. Restart Windsurf to pick up changes.

~/.continue/config.json

{
  "mcpServers": [
    {
      "name": "ghidrassistmcp",
      "command": "TODO",
      "args": [
        "See README: https://github.com/symgraph/GhidrAssistMCP"
      ]
    }
  ]
}

Continue uses an array of server objects rather than a map.

~/.config/zed/settings.json

{
  "context_servers": {
    "ghidrassistmcp": {
      "command": {
        "path": "TODO",
        "args": [
          "See README: https://github.com/symgraph/GhidrAssistMCP"
        ]
      }
    }
  }
}

Add to context_servers. Zed hot-reloads on save.

claude mcp add ghidrassistmcp -- TODO 'See README: https://github.com/symgraph/GhidrAssistMCP'

One-liner. Verify with claude mcp list. Remove with claude mcp remove.

Use Cases

Real-world ways to use GhidrAssistMCP

How to analyze an unknown binary with AI assistance in Ghidra

👤 Security researchers and malware analysts working in sandboxed environments ⏱ ~60 min advanced

When to use: You have a binary to analyze and want AI to help understand its functionality.

Prerequisites

Ghidra 11.4+ with GhidrAssistMCP installed — Download release ZIP, install via File → Install Extensions
MCP client (e.g., Claude Desktop) — Configure to connect to GhidrAssistMCP's HTTP endpoint

Flow

Get binary overview

Get the binary info and list all imports. What libraries does this binary depend on and what do the imports suggest about its functionality?✓ Copied

→ Binary metadata with categorized import analysis
Analyze key functions

Find functions that reference network-related strings. Decompile the most interesting one and explain what it does.✓ Copied

→ Decompiled C code with annotated explanation
Rename and annotate

Based on our analysis, rename the functions we've identified with descriptive names and add comments explaining their purpose.✓ Copied

→ Confirmation of renamed symbols

Outcome: A partially annotated binary with key functions identified, named, and documented.

Pitfalls

Large binaries with thousands of functions overwhelm the analysis — Start with imports and strings to identify interesting functions, then focus on those

Combine with: filesystem

Solve a CTF binary reverse engineering challenge with Ghidra and AI

👤 CTF participants tackling reverse engineering challenges ⏱ ~45 min intermediate

When to use: You have a CTF binary that needs to be reversed to find a flag.

Prerequisites

Ghidra with GhidrAssistMCP — Install the extension and load the challenge binary

Flow

Find the main logic

Search for functions that reference 'flag', 'correct', 'wrong', or 'password'. Decompile the most relevant one.✓ Copied

→ Decompiled function with validation logic
Trace the check

Follow the xrefs from the validation function. What data does it compare against and what transformation is applied to the input?✓ Copied

→ Detailed analysis of the check algorithm with data references

Outcome: Understanding of the validation logic sufficient to derive the flag.

Pitfalls

Obfuscated binaries resist straightforward decompilation — Use get_basic_blocks to understand control flow, then analyze blocks individually

Combinations

Pair with other MCPs for X10 leverage

ghidrassistmcp + filesystem

Export analysis results and annotated code to files for reporting

Export the decompiled code and our annotations for the network functions to a report file.✓ Copied

Tools

What this MCP exposes

Tool	Inputs	When to call
get_binary_info	none	Get metadata about the loaded binary
get_functions	offset?: int, limit?: int	List functions in the binary
analyze_function	address: str	Decompile and analyze a specific function
search_strings	pattern: str	Search for strings in the binary
xrefs	address: str, action: str	Find cross-references to/from an address
rename_symbol	old_name: str, new_name: str	Rename a function or variable
get_imports	none	List all imported functions
get_basic_blocks	function_address: str	Get control flow blocks for a function

Cost & Limits

What this costs to run

API quota: N/A — fully local
Tokens per call: 200–2000 tokens (decompilation results can be large)
Monetary: Free — both Ghidra and GhidrAssistMCP are free
Tip: Use search_functions_by_name and search_strings to narrow targets before decompiling.

Security

Permissions, secrets, blast radius

Credential storage: N/A

Data egress: Local only — Ghidra analysis stays on your machine

⚠ This tool is designed for authorized security research, CTF competitions, and defensive analysis only. Do not use it against systems you don't own or have written authorization to test.
Only analyze binaries you have legal right to reverse engineer.

Troubleshooting

Common errors and fixes

Plugin not showing in Ghidra

Ensure you installed the extension ZIP via File → Install Extensions, then restarted Ghidra. Enable via File → Configure → Configure Plugins.

Verify: Search for 'GhidrAssistMCP' in the plugin configuration dialog

MCP client can't connect

Check the GhidrAssistMCP port in the plugin settings. Ensure no firewall blocks the connection.

Verify: Check the Ghidra console for MCP server startup messages

Decompilation fails for a function

Some functions (especially obfuscated ones) may fail to decompile. Try disassembly instead, or fix the function boundaries with define_func.

Verify: Use get_code as a fallback

Alternatives

GhidrAssistMCP vs others

Alternative	When to use it instead	Tradeoff
reverse-engineering-assistant	You want a tool-driven approach optimized for LLM interaction with focus on context management	Fewer tools but designed to reduce LLM hallucinations
ida-pro-mcp	You prefer IDA Pro over Ghidra for binary analysis	IDA Pro is commercial ($) but has broader format support and faster analysis

More

Resources

📖 Read the official README on GitHub

🐙 Browse open issues

🔍 Browse all 400+ MCP servers and Skills