GhidraMCP

GhidraMCP connects Ghidra, a software analysis tool, to AI assistants so that the AI can help examine compiled programs. Ghidra is an open-source reverse engineering tool originally released by the NSA; it lets analysts open a compiled application and look inside it to understand what it does, even without access to the original source code. GhidraMCP adds a bridge so that AI assistants can use Ghidra's features automatically.

The bridge works through something called the Model Context Protocol, or MCP. MCP is a standard for letting AI chat tools call out to external software in a structured way. Once GhidraMCP is installed, an AI assistant can ask Ghidra to decompile a binary, list the functions it contains, rename things to more descriptive labels, and pull out imports and exports, all without the user having to click through Ghidra's interface manually.

Installation involves two pieces. First, you install a plugin into Ghidra using its built-in extension manager. Second, you run a small Python script that acts as the bridge between the AI client and Ghidra's local server. The project includes configuration examples for three AI clients: Claude Desktop, Cline, and 5ire. Each example shows what settings to change so the AI client knows where to find the running Ghidra instance.

The primary use case is security research and malware analysis. Instead of manually tracing through disassembled code, a researcher can ask an AI to walk through the binary, propose names for unnamed functions, and summarize what different sections of code appear to do. The AI still works within Ghidra's analysis environment; it is calling Ghidra's own decompiler and database rather than interpreting raw bytes itself.

Building from source requires Maven and a local Ghidra installation to copy library files from. Pre-built releases are available on the GitHub releases page for those who do not want to compile it themselves.