一键导入
ghidra
Reverse engineer binaries using Ghidra's headless analyzer. Decompile executables, extract functions, strings, symbols, and analyze call graphs without GUI.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Reverse engineer binaries using Ghidra's headless analyzer. Decompile executables, extract functions, strings, symbols, and analyze call graphs without GUI.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
Use agent-browser-cli to perceive and control the supervised Chrome browser inside the sandbox, interact with pages, capture screenshots/PDFs, inspect cookies/CDP/network/console state, and troubleshoot only when needed.
Use OWASP Amass for authorized asset discovery, domain enumeration, and DNS intelligence on in-scope targets.
Use apktool for authorized Android APK resource decoding, manifest review, smali inspection, rebuild checks, and static mobile artifact triage.
Use file, 7z, unzip, tar-compatible tools, hashes, and bounded shell inspection for safe triage of provided archives and unknown files.
Use binwalk for authorized firmware, binary blob, archive, filesystem, and embedded-content triage with bounded extraction and evidence handling.
Use the pwntools-provided checksec CLI for authorized ELF hardening review, mitigation checks, and binary triage evidence.
| name | ghidra |
| description | Use Ghidra headless analysis for authorized binary reverse engineering, decompilation, function/string/symbol export, and call graph analysis without a GUI. |
Use Ghidra's analyzeHeadless tool through the bundled wrapper for automated reverse engineering. Import binaries, run analysis, decompile to C code, and export functions, strings, symbols, and call graphs.
Before constructing commands, run the wrapper help and use it as the source of truth:
.agents/skills/ghidra/scripts/ghidra-analyze.sh --help
.agents/skills/ghidra/scripts/ghidra-analyze.sh.agents/skills/ghidra/scripts/ghidra_scripts/usr/local/bin/analyzeHeadless| Task | Command |
|---|---|
| Full analysis with all exports | .agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o ./output binary |
| Decompile to C code | .agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary |
| List functions | .agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportFunctions.java -o ./output binary |
| Extract strings | .agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output binary |
| Get call graph | .agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportCalls.java -o ./output binary |
| Export symbols | .agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportSymbols.java -o ./output binary |
.agents/skills/ghidra/scripts/ghidra-analyze.sh [options] <binary>
Always call the wrapper with its .agents/skills/ghidra/... path. It handles project creation/cleanup and provides a simpler interface to analyzeHeadless.
ExportAll.java for first-pass analysis unless the task needs a narrower export.--processor and --cspec when auto-detection is wrong or firmware context is known.--timeout for large or hostile samples and --keep-project only when the task requires later project reuse.Options:
-o, --output <dir> - Output directory for results (default: current dir)-s, --script <name> - Post-analysis script to run (can be repeated)-a, --script-args <args> - Arguments for the last specified script--script-path <path> - Additional script search path-p, --processor <id> - Processor/architecture (e.g., x86:LE:32:default)-c, --cspec <id> - Compiler spec (e.g., gcc, windows)--no-analysis - Skip auto-analysis (faster, but less info)--timeout <seconds> - Analysis timeout per file--keep-project - Keep the Ghidra project after analysis--project-dir <dir> - Directory for Ghidra project (default: /tmp)--project-name <name> - Project name (default: auto-generated)-v, --verbose - Verbose outputComprehensive export - runs all other exports and creates a summary. Best for initial analysis.
Output files:
{name}_summary.txt - Overview: architecture, memory sections, function counts{name}_decompiled.c - All functions decompiled to C{name}_functions.json - Function list with signatures and calls{name}_strings.txt - All strings found{name}_interesting.txt - Functions matching security-relevant patterns.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
Decompile all functions to C pseudocode.
Output: {name}_decompiled.c
.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe
Export function list as JSON with addresses, signatures, parameters, and call relationships.
Output: {name}_functions.json
{
"program": "example.exe",
"architecture": "x86",
"functions": [
{
"name": "main",
"address": "0x00401000",
"size": 256,
"signature": "int main(int argc, char **argv)",
"returnType": "int",
"callingConvention": "cdecl",
"isExternal": false,
"parameters": [{"name": "argc", "type": "int"}, ...],
"calls": ["printf", "malloc", "process_data"],
"calledBy": ["_start"]
}
]
}
Extract all strings (ASCII, Unicode) with addresses.
Output: {name}_strings.json
.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe
Export function call graph showing caller/callee relationships.
Output: {name}_calls.json
Includes:
Export all symbols: imports, exports, and internal symbols.
Output: {name}_symbols.json
# Create output directory
mkdir -p ./analysis
# Run comprehensive analysis
.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary
# Review the summary first with bounded reads
sed -n '1,160p' ./analysis/unknown_binary_summary.txt
# Look at interesting patterns (crypto, network, dangerous functions)
sed -n '1,160p' ./analysis/unknown_binary_interesting.txt
# Check specific decompiled functions
grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c
# Specify ARM architecture for firmware
.agents/skills/ghidra/scripts/ghidra-analyze.sh \
-p "ARM:LE:32:v7" \
-s ExportAll.java \
-o ./firmware_analysis \
firmware.bin
# Just get function names and addresses (faster)
.agents/skills/ghidra/scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program
# Parse with jq
jq '.functions[] | "\(.address): \(.name)"' program_functions.json
# After running ExportDecompiled, search for patterns
grep -n "password\|secret\|key" output_decompiled.c
grep -n "strcpy\|sprintf\|gets" output_decompiled.c
for bin in ./samples/*; do
name=$(basename "$bin")
.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o "./results/$name" "$bin"
done
Common processor IDs for the -p option:
| Architecture | Processor ID |
|---|---|
| x86 32-bit | x86:LE:32:default |
| x86 64-bit | x86:LE:64:default |
| ARM 32-bit | ARM:LE:32:v7 |
| ARM 64-bit | AARCH64:LE:64:v8A |
| MIPS 32-bit | MIPS:BE:32:default or MIPS:LE:32:default |
| PowerPC | PowerPC:BE:32:default |
Find all available processors:
ls /opt/ghidra/Ghidra/Processors/
Inside the sandbox, GHIDRA_HOME is /opt/ghidra and the wrapper should find /usr/local/bin/analyzeHeadless. If running the skill outside the image, set GHIDRA_HOME explicitly:
export GHIDRA_HOME=/path/to/ghidra_PUBLIC
.agents/skills/ghidra/scripts/ghidra-analyze.sh ...
# Set a timeout (seconds)
.agents/skills/ghidra/scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary
# Skip analysis for quick export
.agents/skills/ghidra/scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
Set a larger Ghidra heap before running the wrapper:
export MAXMEM=4G
Explicitly specify the processor:
.agents/skills/ghidra/scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin
--timeout and consider --no-analysis for quick scansReport the artifact path, wrapper command used, output directory, key exported files, architecture or processor assumptions, relevant findings, and limitations such as timeout, decompiler failures, or unresolved processor selection.