Skills-curated ghidra-headless
install
source · Clone the upstream repo
git clone https://github.com/trailofbits/skills-curated
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/trailofbits/skills-curated "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/ghidra-headless/skills/ghidra-headless" ~/.claude/skills/trailofbits-skills-curated-ghidra-headless && rm -rf "$T"
manifest:
plugins/ghidra-headless/skills/ghidra-headless/SKILL.mdsource content
Ghidra Headless Analysis
Perform automated reverse engineering using Ghidra's
analyzeHeadlessWhen to Use
- Decompiling a binary to C pseudocode for review
- Extracting function signatures, strings, or symbols from executables
- Analyzing call graphs to understand binary control flow
- Triaging unknown binaries or firmware images
- Batch-analyzing multiple binaries for comparison
- Security auditing compiled code without source access
When NOT to Use
- Source code is available — read it directly instead
- Interactive debugging is needed — use GDB, LLDB, or Ghidra GUI
- The binary is a .NET assembly — use dnSpy or ILSpy
- The binary is Java bytecode — use jadx or cfr
- Dynamic analysis is required — use a debugger or sandbox
Quick Reference
| Task | Command |
|---|---|
| Full analysis with all exports | |
| Decompile to C code | |
| List functions | |
| Extract strings | |
| Get call graph | |
| Export symbols | |
| Find Ghidra path | |
Prerequisites
- Ghidra must be installed. On macOS:
brew install --cask ghidra - Java (OpenJDK 17+) must be available
The skill automatically locates Ghidra in common installation paths. Set
GHIDRA_HOMEMain Wrapper Script
{baseDir}/scripts/ghidra-analyze.sh [options] <binary>
Wrapper that handles project creation/cleanup and provides a simpler interface to
analyzeHeadlessOptions:
— Output directory for results (default: current dir)-o, --output <dir>
— Post-analysis script to run (can be repeated)-s, --script <name>
— Arguments for the last specified script-a, --script-args <args>
— Additional script search path--script-path <path>
— Processor/architecture (e.g.,-p, --processor <id>
)x86:LE:32:default
— Compiler spec (e.g.,-c, --cspec <id>
,gcc
)windows
— Skip auto-analysis (faster, but less info)--no-analysis
— Analysis timeout per file--timeout <seconds>
— Keep the Ghidra project after analysis--keep-project
— Directory for Ghidra project (default: /tmp)--project-dir <dir>
— Project name (default: auto-generated)--project-name <name>
— Verbose output-v, --verbose
Built-in Export Scripts
ExportAll.java
Runs summary, decompilation, function list, strings, and interesting-pattern exports. Does not include call graph or symbols — run ExportCalls.java and ExportSymbols.java separately if needed. Best for initial analysis.
Output files:
— Overview: architecture, memory sections, function counts{name}_summary.txt
— All functions decompiled to C{name}_decompiled.c
— Function list with signatures and calls{name}_functions.json
— All strings found (plain text; use ExportStrings.java for JSON){name}_strings.txt
— Functions matching security-relevant patterns{name}_interesting.txt
{baseDir}/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
ExportDecompiled.java
Decompile all functions to C pseudocode.
Output:
{name}_decompiled.cExportFunctions.java
Export function list as JSON with addresses, signatures, parameters, and call relationships.
Output:
{name}_functions.jsonExportStrings.java
Extract all strings (ASCII, Unicode) with addresses.
Output:
{name}_strings.jsonExportCalls.java
Export function call graph showing caller/callee relationships. Includes full call graph, potential entry points, and most frequently called functions.
Output:
{name}_calls.jsonExportSymbols.java
Export all symbols: imports, exports, and internal symbols.
Output:
{name}_symbols.jsonCommon Workflows
Analyze an Unknown Binary
mkdir -p ./analysis {baseDir}/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary cat ./analysis/unknown_binary_summary.txt cat ./analysis/unknown_binary_interesting.txt
Analyze Firmware
{baseDir}/scripts/ghidra-analyze.sh \ -p "ARM:LE:32:v7" \ -s ExportAll.java \ -o ./firmware_analysis \ firmware.bin
Quick Function Listing
{baseDir}/scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program cat program_functions.json | jq '.functions[] | "\(.address): \(.name)"'
Find Specific Patterns
# After running ExportDecompiled, search for patterns grep -n "password\|secret\|key" output_decompiled.c grep -n "strcpy\|sprintf\|gets" output_decompiled.c
Architecture/Processor IDs
Common processor IDs for the
-p| Architecture | Processor ID |
|---|---|
| x86 32-bit | |
| x86 64-bit | |
| ARM 32-bit | |
| ARM 64-bit | |
| MIPS 32-bit | |
| PowerPC | |
Troubleshooting
Ghidra Not Found
{baseDir}/scripts/find-ghidra.sh # Or set GHIDRA_HOME if in non-standard location export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC
Analysis Takes Too Long
{baseDir}/scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary # Or skip analysis for quick export {baseDir}/scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
Out of Memory
Set before running:
export MAXMEM=4G
Wrong Architecture Detected
Explicitly specify the processor:
{baseDir}/scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin
Tips
- Start with ExportAll.java — gives everything; the summary helps orient
- Check interesting.txt — highlights security-relevant functions automatically
- Use jq for JSON parsing — JSON exports are designed to be machine-readable
- Decompilation isn't perfect — use as a guide, cross-reference with disassembly
- Large binaries take time — use
and consider--timeout
for quick scans--no-analysis