i Ghidra – Software Reverse Engineering Framework – All things in moderation

Ghidra – Software Reverse Engineering Framework


What is GHIDRA?

Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of process instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.

In support of NSA’s Cybersecurity mission, Ghidra was built to solve scaling and teaming problems on complex SRE efforts, and to provide a customizable and extensible SRE research platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve analyzing malicious code and generating deep insights for SRE analysts who seek a better understanding of potential vulnerabilities in networks and systems.

Platforms support

  • Microsoft Windows 7 or 10 (64-bit)
  • Linux (64-bit, CentOS 7 is preferred)
  • macOS (OS X) 10.8.3+ (Mountain Lion or later)
  • NOTE: All 32-bit OS installations are now deprecated. Please contact the Ghidra team if you have a specific need.

Minimum requirements


  • 4 GB RAM
  • 1 GB storage (for installed Ghidra binaries)
  • Dual monitors strongly suggested


  • Java 11 Runtime and Development Kit (JDK) (see Java Notes)
    • OpenJDK distributed from jdk.java.net is suggested

Installing GHIDRA

To install Ghidra, simply extract the Ghidra distribution file to the desired filesystem destination using any unzip program (built-in OS utilities, 7-Zip, WinZip, WinRAR, etc).

Download GhiDra in here.

After extract GhiDra, you will receive the following folder:


Ghidra: Base directory for Ghidra distribution. Contains files needed to run Ghidra.
Extensions: Optional components that can extend Ghidra’s functionality and integrate Ghidra with other tools. See the Extensions section for more information.
GPL: Standalone GPL support programs.
server: Contains files related to Ghidra Server installation and administration.
support: Contains files useful for debugging Ghidra, running Ghidra in advanced modes, and controlling how Ghidra launches.
docs: Contains documentation for Ghidra, such as release notes, API files, tutorials, etc.
ghidraRun(.bat): Script used to launch Ghidra.
LICENSE.txt: Ghidra license information.
licenses: Contains licenses used by Ghidra.

Install Notes

  • Ghidra does not use a traditional installer program. Instead, the Ghidra distribution file is simply extracted in-place on the filesystem. This approach has advantages and disadvantages. On the up side, administrative privilege is not required to install Ghidra for personal use. Also, because installing Ghidra does not update any OS configurations such as the registry on Windows, removin. Ghidra is as simple as deleting the Ghidra installation directory. On the down side, Ghidra will not automatically create a shortcut on the desktop or appear in application start menus.
  • Administrative privilege may be required to extract Ghidra to certain filesystem destinations (such as C:\), as well as install the Ghidra Server as a service.
  • Ghidra relies on using directories outside of its installation directory to manage both temporary and longer-living cache files. Ghidra attempts to use standard OS directories that are designed for these purposes in order to avoid several issues, such as storing large amounts of data to a roaming profile. If it is suspected that the default location of these directories is causing a problem, they can be changed by modifying the relevant properties in the support/launch.properties file.

Java Notes

  • Ghidra requires a supported version of a Java Runtime and Development Kit on the PATH to run. However, if there is a version of Java on the PATH that Ghidra does not support, it will use that version of Java (if 1.7 or later) to assist in locating a supported version on your system. If one cannot be automatically located, the user will be prompted to enter a path to the Java home directory to use (the Java home directory is the parent directory of Java’s bin directory). This minimizes the impact Ghidra has on pre-existing configurations of Java that other software may rely on.
  • Ghidra is developed and tested against OpenJDK distributed from jdk.java.net. Consider using this OpenJDK distribution for the most stable experience.
  • If Ghidra failed to run because no versions of Java were on the PATH, a supported JDK should be manually installed and added to the PATH. The following steps outline how to add an OpenJDK distribution to the operating system’s PATH.

Running Ghidra

GUI Mode

  1. Navigate to <GhidraInstallDir>
  2. Run ghidraRun.bat (Windows) or ghidraRun (Linux or macOS)

If Ghidra failed to launch, see the Troubleshooting section.

Ghidra Server
Ghidra can support multiple users working together on a single project. Individual Ghidra users launch and work on their own local copies of a particular Ghidra project but check changes into a common repository containing all commits to that repository. For detailed information on installing/configuring the Ghidra Server see the <GhidraInstallDir>/server/svrREADME.html file.

Headless (Batch) Mode
Ghidra is traditionally run in GUI mode. However, it is also capable of running in headless batch mode using the command line. For more information, see the <GhidraInstallDir>/support/analyzeHeadlessREADME.html file.

Single Jar Mode
Normally, Ghidra is installed as an entire directory structure that allows modular inclusion or removal of feature sets and also provides many files that can be extended or configured. However, there are times when it would be useful to have all or some subset of Ghidra compressed into a single jar file at the expense of configuration options. This makes Ghidra easier to run from the command line for headless operation or to use as a library of reverse engineering capabilities for another Java application.

A single ghidra.jar file can be created using the <GhidraInstallDir>/support/buildGhidraJar script.


Start GhiDra. Click file ghidraRun.bat:

Create New Project. Goto Menu bar: File -> New Project… or Press Ctrl + N

You can select projext Type: Share Project or Non-Share Project

Select Project Location and enter project name:

Import program:

File -> Import File…

In window Import file you can select Options:

After load file, Ghidra will returrn Import Results Summary

After load file finish you can analysic file by use Ghidra.

In the next articles, I will have more detailed instructions on using GhiDra.

One Response

  1. William Gallant April 6, 2019

Leave a Reply