explaingit

nationalsecurityagency/ghidra

Analysis updated 2026-06-20

68,090JavaAudience · researcherComplexity · 3/5Setup · moderate

TLDR

Ghidra is a free, open-source reverse engineering tool from the NSA that lets you analyze compiled programs, including malware, to understand what they do without needing the original source code.

Mindmap

mindmap
  root((Ghidra))
    What it does
      Reverse engineering
      Binary analysis
      Decompilation
    Key features
      Graphical UI
      Decompiler
      Control flow graphs
      Scripting support
    Tech stack
      Java
      Python scripts
    Use cases
      Malware analysis
      Vulnerability research
      CTF competitions
      Proprietary software study
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Analyze a suspicious binary or malware sample to understand its behavior without executing it in a live environment.

USE CASE 2

Find security vulnerabilities in a closed-source application by examining its compiled code through decompilation.

USE CASE 3

Participate in CTF cybersecurity competitions that include reverse engineering challenges.

USE CASE 4

Study how a proprietary program works internally when no source code is publicly available.

What is it built with?

JavaPython

How does it compare?

nationalsecurityagency/ghidrathealgorithms/javakdn251/interviews
Stars68,09065,55564,943
LanguageJavaJavaJava
Setup difficultymoderateeasyeasy
Complexity3/51/51/5
Audienceresearcherdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Java 21 to be installed on your machine before Ghidra will launch.

Free to use for any purpose, including research and commercial security work.

In plain English

Ghidra is a free, open-source software reverse engineering framework created and maintained by the US National Security Agency. Reverse engineering in this context means taking a compiled program, a binary file that a computer can run, and analyzing it to understand what it does, even without access to the original source code. This is a common need in cybersecurity work: malware analysts examining suspicious programs, security researchers looking for vulnerabilities, and developers trying to understand how a piece of proprietary software behaves. The tool provides a graphical desktop application where you can load a compiled binary and see it broken down into human-readable assembly language (a low-level representation of machine instructions) and even partially reconstructed higher-level code through its decompiler feature. The decompiler tries to infer what the original code logic might have looked like, making it much faster to understand a program than reading raw assembly alone. Ghidra also supports graphing the control flow of a program (showing how different parts of the code connect and branch), searching for patterns, and writing custom analysis scripts in Java or Python to automate tedious tasks. It supports a wide range of processor architectures and executable file formats across Windows, macOS, and Linux. You can use it interactively through its graphical interface or run it in automated mode for batch analysis. You would reach for Ghidra when analyzing malware, doing security vulnerability research on closed-source software, participating in capture-the-flag security competitions, or studying how a compiled program works at a deep technical level. It competes with commercial tools like IDA Pro, offering similar capabilities at no cost. The project is written in Java and requires Java 21 to run. Extensions and scripts can be written in Java or Python.

Copy-paste prompts

Prompt 1
I have a suspicious Windows executable. Walk me through loading it into Ghidra, running auto-analysis, and finding suspicious function calls like CreateProcess or WriteFile.
Prompt 2
How do I write a Ghidra Python script to automatically find every call to a specific function across an entire binary?
Prompt 3
I'm doing a CTF reverse engineering challenge where a binary checks a password and prints correct or wrong. Help me use Ghidra's decompiler to find the password validation logic.
Prompt 4
How do I use Ghidra to diff two versions of the same binary to identify exactly what changed between them?

Frequently asked questions

What is ghidra?

Ghidra is a free, open-source reverse engineering tool from the NSA that lets you analyze compiled programs, including malware, to understand what they do without needing the original source code.

What language is ghidra written in?

Mainly Java. The stack also includes Java, Python.

What license does ghidra use?

Free to use for any purpose, including research and commercial security work.

How hard is ghidra to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is ghidra for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub nationalsecurityagency on gitmyhub

Verify against the repo before relying on details.