Ghidra | NSA Ghidra | Reverse Engineering library

 by   kant2002 Java Version: Current License: Non-SPDX

kandi X-RAY | Ghidra Summary

kandi X-RAY | Ghidra Summary

Ghidra is a Java library typically used in Utilities, Reverse Engineering applications. Ghidra has no bugs and it has low support. However Ghidra has 5 vulnerabilities, it build file is not available and it has a Non-SPDX License. You can download it from GitHub.

This is source code derived from Java code found in files shiped with Ghidra. I collect modification which community post in the issues to actual Ghidra, and just ship them here. Also I provide some simple fixes for silly issues when I able to make it. Azure DevOps project now have built JAR files, and they should be usable with Ghidra. You could modify your Ghidra installation, by replacing JAR files in the original Ghidra installation. Just click on Azure badge and download JAR from Artifacts button. Structure of the project is similar to what of Ghidra.

            kandi-support Support

              Ghidra has a low active ecosystem.
              It has 25 star(s) with 3 fork(s). There are 2 watchers for this library.
              It had no major release in the last 6 months.
              There are 0 open issues and 3 have been closed. On average issues are closed in 2 days. There are 1 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of Ghidra is current.

            kandi-Quality Quality

              Ghidra has no bugs reported.

            kandi-Security Security

              Ghidra has 5 vulnerability issues reported (2 critical, 3 high, 0 medium, 0 low).

            kandi-License License

              Ghidra has a Non-SPDX License.
              Non-SPDX licenses can be open source with a non SPDX compliant license, or non open source licenses, and you need to review them closely before use.

            kandi-Reuse Reuse

              Ghidra releases are not available. You will need to build from source code and install.
              Ghidra has no build file. You will be need to create the build yourself to build the component from source.
              Installation instructions, examples and code snippets are available.

            Top functions reviewed by kandi - BETA

            kandi has reviewed Ghidra and discovered the below as its top functions. This is intended to give you an instant insight into Ghidra implemented functionality, and help decide if they suit your requirements.
            • the special parser
            • Matches a key as id
            • Moves forward from the last state in the state set .
            • Matches a variable node .
            • 11
            • Returns the next pcode for the instruction .
            • Performs the given relocation .
            • reference all tokens
            • Create the filters .
            • Simplify a pcode operation .
            Get all kandi verified functions for this library.

            Ghidra Key Features

            No Key Features are available at this moment for Ghidra.

            Ghidra Examples and Code Snippets

            No Code Snippets are available at this moment for Ghidra.

            Community Discussions


            Ghidra headless analyzer
            Asked 2022-Mar-23 at 09:37

            I am trying to decompile nodejs bytecode using ghidra, and there is this specific plugin which decompiles the the nodejs bytecode. How can I install that plugin using ghidra headless method?

            And another question I have is, after analysing the nodejs bytecode it generated a .rep folder, which I am not sure what to do about now, as I thought it will be giving me the source code after analysis.

            Thanks in advance :)



            Answered 2022-Mar-23 at 09:37

            Installing a plugin in Ghidra via GUI is just an unzip with extra checks. Headless install is described in the doc at

            To install an extension in these cases, simply extract the desired Ghidra extension archive file(s) to the /Ghidra/Extensions directory. For example, on Linux or macOS:

            1. Set current directory to the Ghidra installed-extensions directory: cd /Ghidra/Extensions
            2. Extract desired extension archive file(s) to the current directory: unzip /path/to/.zip
            3. The extension(s) will be installed the next time Ghidra is started.

            How to dump the source code will depend on the plugin you are using, without a link it's hard to tell. I guess it just allows disassembling NodeJS bytecode, so you have to use the regular Ghidra APIs or scripts to dump disassembly?



            Ghidra decompile windows is greyed backgound
            Asked 2022-Feb-13 at 17:33

            For some methods, Ghidra's decompiler background window is greyed out and I can't rename the function nor the local variables. Why?

            It works fine for methods with a "white background".


            Matching code



            Answered 2022-Feb-13 at 17:33

            You can only do rename in a fully defined function. The grey background means that Ghidra didn't properly create a function at this point. You can see this also in a disassembly where you only have a label at this location. If you think this is a function you can type F and define a function. It should enable all the edit options.



            Is there a command execution vulnerability in this C program?
            Asked 2022-Feb-02 at 10:16

            So I am working on a challenge problem to find a vulnerability in a C program binary that allows a command to be executed by the program (using the effective UID in Linux).

            I am really struggling to find how to do this with this particular program.

            The disassembly of the function in question (main function):



            Answered 2022-Feb-02 at 10:16

            In regular C code, execlp("tidy","tidy","-asxml",0); is incorrect as execlp() expects a null pointer argument to mark the end of the argument list.

            0 is a null pointer when used in a pointer context, which this is not. Yet on architectures where pointers have the same size and passing convention as int, such as 32-bit linux, passing 0 or passing NULL generate the same code, so sloppiness does not get punished.

            In 64-bit mode, it would be incorrect to do so but you might get lucky with the x86_64 ABI and a 64-bit 0 value will be passed in this case.

            In your own code, avoid such pitfalls and use NULL or (char *)0 as the last argument for execlp(). But on this listing, Ghidra produces code that generates the same assembly code, and in 32-bit mode, passing 0 or (char *)0 produce the same code, so no problem here.

            In your context, execlp("tidy","tidy","-asxml",0); shows another problem: it will look for an executable program with the name tidy in the current PATH and run this program as tidy with a command line argument -asxml. Since it changed the effective uid and gid, this is a problem if the program is setuid root because you can create a program named tidy in a directory appearing in the PATH variable before the system directories and this program will be run with the modified rights.

            Another potential problem is the program does not check for failure of the system calls setreuid() and setregid(). Although these calls are unlikely to fail for the arguments passed, as documented in the manual pages, it is a grave security error to omit checking for a failure return from setreuid(). In case of failure, the real and effective uid (or gid) is not changed and the process may fork and exec with root privileges.



            How can I determine this string value based on the C disassembly?
            Asked 2022-Jan-24 at 01:47

            So I am working on a "find the password" type binary disassembly problem and cannot quite figure it out.

            The assembly is as follows:

            function checkpw



            Answered 2022-Jan-24 at 01:44


            how to make Ghidra use a function's complete/original stackframe for decompiled code
            Asked 2022-Jan-14 at 17:33

            I have a case where some function allocates/uses a 404 bytes temporary structure on the stack for its internal calculations (the function is self-contained and shuffles data around within that data structure). Conceptually the respective structure seems to consist of some 32-bit counters followed by an int[15] and a byte[80] array, and then an area that might or might not actually be used. Some of the generated data in the tables seems to represent offsets that are again used by the function to navigate within the temporary structure.

            Unfortunately Ghidra's decompiler makes a total mess while trying to make sense of the function: In particular it creates separate "local_.." int-vars (and then uses a pointer to that var) for what should correctly be a pointer into the function's original data-structure (e.g. pointing into one of the arrays).



            Answered 2022-Jan-14 at 17:33

            I think I found something.. In the "Listing" view the used local-variable layout is shown as a comment under the function's header. It seems that by right clicking on a respective local-var line in that comment, "set data type" can be applied to a respective local variable. Ah, and then there is what I've been looking for under "Function/"Edit stack frame" :-)



            what's this decompiled f2xm1/fscale sequence meant to do?
            Asked 2022-Jan-10 at 08:37

            I am trying to reverse engineer some decomiled code which originally had been written in C/C++, i.e. I suspect that the below FPU related code sequence is probably derived from some simple C-code "double" handling that justs looks more complicated in the generated assembly code. Leading up to this point, some floating point multiplications had been performed with the result in ST0 (corresponding to d1). I've read the docs on what the underlying FPU operations technically do, still the intention of the respective code sequence still isn't obvious to me.



            Answered 2022-Jan-10 at 08:37

            Seems it is some variation of a pow(x,y) implementation (see How can I write a power function myself? ). Ghidra just made a total mess of it in the decompiled code view.

            Tracing the results in the debugger the performed functionality is indeed:

            pow((float10)DOUBLE_00430088, (float10)param_1[0x58])



            Decompiler not working in Ghidra Disassembler
            Asked 2022-Jan-09 at 14:46

            I'm kind of new to Ghidra Disassembler so kindly bear with me .

            I was trying to install Ghidra to analyse an executable. After opening the executable in Ghidra it loads everything fine except Decompiler. Decompiler window displays

            Decompiler: Unable to initialize the DecompilerInterface: Could not find decompiler executable" this error message. Also it shows "os/mac_x86_64/decompile does not exist

            I downloaded it from here. I also have JDK installed in my mac. What should i do so as to make Decompiler work?

            As the error says there is no decompiler inside "os/mac_x86_64". Not sure on what i should do.



            Answered 2022-Jan-09 at 14:46

            Issue happened because I removed the decompile file while installing ghidra for the first coz gatekeeper in my Mac prompted me to remove it as it was from github. Solution to this issue is to allow it in the Security & Privacy . Thank you @Robert for ur inputs and ur time. U saved me ton of time.

            Clicking "Allow Anyways" without removing decompile fixed the issue for me.



            How to reverse strings that have been obfuscated using floats and double?
            Asked 2021-Dec-24 at 01:09

            I'm working on a crackme , and having a bit of trouble making sense of the flag I'm supposed to retrieve. I have disassembled the binary using radare2 and ghidra , ghidra gives me back the following pseudo-code:



            Answered 2021-Dec-24 at 01:09

            You can tweak the Ghidra reverse result by edit variable type. Based on scanf const string %32s your local_38 should be char [32].

            Before the first if, there are some char swap.

            And the first if statment give you a long constrain of flag

            At this point, you can confirm part of flag is FARADAY{d0ubl3_@nd_f1o@t, then is ther main part of this challenge.

            It print x, y, z based on the flag, but you'll quickly find x and y is constrain by the if, so you only need to solve z to get the flag, so you think you need to bruteforce all double value limit by printable ascii.

            But there are a limitaion in if statment says byte0 of this double must be _ and a math constrain there, simple math tell dVar2 - 4088116.817143337 <= 1.192092895507813e-07 and it comes dVar2 is very close 4088116.817143337 And byte 3 and byte 7 in this double will swap

            By reverse result: dVar2 = y*y*x*x/z, solve this equation you can say z must near 407.2786840401004 and packed to little endian is `be}uty@. Based on double internal structure format, MSB will affect exponent, so you can make sure last byte is @ and it shows byte0 and byte3 is fixed now by constrain and flag common format with {} pair.

            So finally, you only need to bureforce 5 bytes of printable ascii to resolve this challenge.



            Question marks in ghidra DAT_*
            Asked 2021-Nov-09 at 09:15

            I disassembled a jni .so file(the native part of an android application) and I decompiled one of its function in ghidra.

            I saw a DAT_* in a part of decompiled code and when I double clicked on that ghidra show me only question marks.

            What should I do for finding the data in the DAT_*

            ( '*' Means any chars )



            Answered 2021-Nov-09 at 09:15

            I think what you are referring to are the questions mark like in this screenshot:

            This just means that the datatype of the data at this address is not yet defined in any way. For example, if you specify the data at this address to be of the type QWORD it will state dq and look like this:

            if it is a string it will contain ds and look like this



            Can Ghidra re-compile and run a short function?
            Asked 2021-Oct-23 at 09:19

            I've picked out a short and "self-contained" function from the Ghidra decompiler. Can Ghidra itself compile the function again so I can try to run it for a couple different values, or would I need to compile it myself with e.g. gcc?

            Attaching the function for context:



            Answered 2021-Oct-22 at 03:08

            You can, but you'll have to change some of the types to be standard C, or just add typedefs like so:


            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            In NSA Ghidra before 9.1, path traversal can occur in (from the package via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis result is archived for sharing with other persons. To achieve arbitrary code execution, one approach is to overwrite some critical Ghidra modules, e.g., the decompile module.
            NSA Ghidra through 9.0.4 uses a potentially untrusted search path. When executing Ghidra from a given path, the Java process working directory is set to this path. Then, when launching the Python interpreter via the "Ghidra Codebrowser > Window > Python" option, Ghidra will try to execute the cmd.exe program from this working directory.
            NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it loads jansi.dll from the current working directory.
            NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/ An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
            NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.

            Install Ghidra

            There assumption that root of this repository is same as root of unpacked Ghidra distribution. This allow magic to happens. I need more time to put all supplementary code to the source control and generate proper build pipeline. CAUTION If you want to compile Ghidra using Gradle you have to wait a bit until RuntimeScripts module would be published. This is essentially command line scripts as far as I aware. Reason why do you need them, is that support/LaunchSupport.jar perform detection of Development/Production environment based on the presence of build.gradle in the root folder.


            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
          • HTTPS


          • CLI

            gh repo clone kant2002/Ghidra

          • sshUrl


          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Reverse Engineering Libraries


            by NationalSecurityAgency


            by radareorg


            by icsharpcode


            by Konloch


            by WerWolv

            Try Top Libraries by kant2002


            by kant2002C#


            by kant2002C#


            by kant2002C#


            by kant2002C#


            by kant2002C++