Bridges Ghidra with AI assistants via MCP for natural language binary analysis and security insights.
Configuration
View docs{
"mcpServers": {
"13bm-ghidramcp": {
"url": "http://localhost:8765"
}
}
}GhidraMCP enables AI assistants to connect to Ghidra for AI-assisted binary analysis using the Model Context Protocol. It lets you query binaries in natural language, retrieve function details and decompiled code, analyze memory layouts, and perform security-focused insights directly from your Ghidra workspace.
Start by opening a Ghidra project with the MCP plugin enabled. The MCP server starts automatically in this environment and listens on localhost at port 8765. You can verify activity in the Ghidra console with messages indicating the server has started.
To work with an AI assistant, connect your MCP client to the running server. The plugin exposes a set of tools you can use to explore the loaded binary, ask questions in plain English, and obtain structured results. Typical workflows include querying function details, extracting API call sequences for security analysis, generating call graphs, and identifying potential user input sources.
Prerequisites you need installed before using GhidraMCP:
Ghidra 11.2.1+
Java 17 or newer
Python 3.8+ (for the bridge script)
Install the MCP extension in Ghidra by following these steps:
1) Download the latest release ZIP file containing the MCP extension
2) Open Ghidra
3) Navigate to File > Install Extensions
4) Click the "+" button and select the downloaded ZIP file
5) Restart Ghidra to complete the installation
6) Enable the extension by going to File > Configure > Miscellaneous and checking the box next to "MCPServerPlugin"After enabling, start a Ghidra project. The MCP server will start automatically and listen on localhost:8765. If you need to verify, check the Ghidra console for a message like "MCP Server started on port 8765".
If you want to connect an AI assistant (for example Claude) to GhidraMCP, install the bridge script and configure the MCP client as shown.
pip install FastMCP
```
To connect Claude, add the MCP server configuration to your Claude setup:
```
{
"mcpServers": {
"ghidra": {
"command": "python",
"args": ["PATH-TO-REPO/GhidraMCP/ghidra_server.py"]
}
}
}
```
The bridge script establishes a real-time connection between Ghidra and Claude for natural language binary analysis.The MCP interface exposes a variety of tools you can invoke from your MCP client to enhance your analysis workflow. You can obtain detailed function information, analyze imports/exports, inspect memory layouts, and perform security-oriented queries.
If you prefer building the plugin from source, follow these steps to compile and generate the extension package.
git clone https://github.com/yourusername/GhidraMCP.git
```
Set up a Ghidra development environment according to your platform and configure the GHIDRA_INSTALL_DIR variable:
```
export GHIDRA_INSTALL_DIR=/path/to/ghidra
```
Build the extension:
```
./gradlew buildExtension
```
The extension ZIP will be created in the dist directoryRetrieve detailed information about a function at a specific address, with optional decompilation.
Ask natural language questions about the loaded binary and receive contextual results.
List all imported functions in the binary to understand external dependencies.
List all exported functions to identify external interfaces.
Get the memory layout of the binary for analysis of data regions and code sections.
Connect to a specific Ghidra instance by host and port.
Rename a function by its current name to improve readability.
Rename a data label at a specific address.
Extract sequences of API calls from a function for security analysis.
Find potential sources of user input to assess input handling risks.
Generate a hierarchical call graph for a function with an optional max depth.
Detect cryptographic implementations and standard algorithms in the binary.
Locate strings that may be obfuscated through encoding or construction tricks.