MCP Directory

GhidraMCP

Lets LLMs reverse engineer binaries in Ghidra: decompile functions, rename symbols, trace imports, exports and xrefs.

Unverified
stdio (local)
No auth
Stale
Java

Add to your client

Copy the config for your MCP client and paste it into its config file.

Install / run
python bridge_mcp_ghidra.py --ghidra-server http://127.0.0.1:8080/

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "ghidramcp": {
      "command": "python",
      "args": [
        "/ABSOLUTE_PATH_TO/bridge_mcp_ghidra.py",
        "--ghidra-server",
        "http://127.0.0.1:8080/"
      ]
    }
  }
}

Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf

Before you start

  • Ghidra installed (ghidra-sre.org)
  • Python 3 with the MCP Python SDK installed
  • GhidraMCP release zip matching your Ghidra version

About GhidraMCP

Architecturally it's a relay: the Java plugin embeds an HTTP server in Ghidra (port configurable under Edit → Tool Options → GhidraMCP HTTP Server), and the Python bridge translates MCP tool calls into requests against it. The bridge defaults to stdio but also runs as an SSE server (--transport sse --mcp-port 8081) for clients like Cline that prefer a remote-server URL.

What agents actually do with it: iterative reverse engineering. List and search functions, decompile the interesting ones, rename FUN_00401000-style symbols as understanding builds, fix prototypes and local-variable types so the decompilation gets cleaner, and leave decompiler/disassembly comments. Cross-reference tools (xrefs to/from, function xrefs, string lists) let a model chase data flow the way a human analyst would.

It became the best-known Ghidra/MCP integration (9k+ stars) because the write-back design makes LLM output durable — the renames and comments live in the Ghidra project file. Releases bundle the plugin zip and the bridge script together; building from source needs a handful of Ghidra jars copied into lib/ and Maven.

Trade-offs: Ghidra must be running with your binary open — this drives a live session rather than running headless. The local HTTP server has no authentication (a simplicity choice; localhost binding is the mitigation), and release zips track specific Ghidra versions, so a Ghidra upgrade can mean waiting for a release or rebuilding.

Tools & capabilities (27)

list_methods

List all function names in the program, paginated

list_classes

List all namespace/class names, paginated

decompile_function

Decompile a function by name and return the C-like source

decompile_function_by_address

Decompile the function at a given address

disassemble_function

Get assembly listing for the function at an address

rename_function

Rename a function by its current name

rename_function_by_address

Rename the function at a given address

rename_data

Rename a data label at an address

rename_variable

Rename a local variable within a function

set_function_prototype

Set a function's prototype/signature

set_local_variable_type

Change the type of a local variable

set_decompiler_comment

Add a comment visible in the decompiler view

set_disassembly_comment

Add a comment visible in the disassembly view

get_function_by_address

Get function info for an address

get_current_address

Get the address currently selected in Ghidra

get_current_function

Get the function currently open in Ghidra

list_functions

List all functions with signatures

list_segments

List memory segments, paginated

list_imports

List imported symbols, paginated

list_exports

List exported functions/symbols, paginated

list_namespaces

List non-global namespaces, paginated

list_data_items

List defined data labels and values, paginated

list_strings

List defined strings with optional filter

search_functions_by_name

Search functions whose name matches a substring

get_xrefs_to

Cross-references to a given address

get_xrefs_from

Cross-references made from a given address

get_function_xrefs

Cross-references to a function by name

When to use it

  • Malware triage: decompile suspicious functions, rename them as behavior becomes clear, and leave analysis comments
  • CTF reversing: find the flag-check function via string search and cross-references
  • Map an unfamiliar binary: imports, exports, and the call graph around a target function
  • Clean up a decompilation by bulk-renaming generic FUN_/DAT_ symbols with meaningful names

Quick setup

  1. 1Download the latest release zip from github.com/LaurieWired/GhidraMCP/releases
  2. 2In Ghidra: File → Install Extensions → + → select the zip → restart Ghidra
  3. 3Enable GhidraMCPPlugin under File → Configure → Developer (port configurable in Edit → Tool Options)
  4. 4Add the MCP config: `python /path/to/bridge_mcp_ghidra.py --ghidra-server http://127.0.0.1:8080/`
  5. 5Open a binary in Ghidra's CodeBrowser, then start prompting your client

Security notes

The Ghidra plugin opens an unauthenticated HTTP server (default 127.0.0.1:8080) — any local process can drive your Ghidra session, so keep it bound to localhost. Analysis itself stays on your machine, but decompiled code goes to your model provider whenever the agent reads it, which matters for proprietary or sensitive binaries.

GhidraMCP FAQ

Is GhidraMCP an official NSA/Ghidra project?

No — it's a community project by researcher LaurieWired. Ghidra itself is the NSA's open-source reverse-engineering suite; GhidraMCP is a third-party plugin plus bridge that exposes it over MCP. Both are Apache-2.0.

Is it safe to use on sensitive binaries?

Everything runs locally, but two caveats: the plugin's HTTP server has no auth (keep it on 127.0.0.1), and any decompiled code the agent reads is sent to your model provider. For classified or NDA-bound binaries, that second point is usually the blocker.

Do I need to keep Ghidra open while using it?

Yes. The server runs inside Ghidra with your project loaded — the Python bridge only proxies MCP calls to that live session. Close Ghidra and the tools stop responding.

Alternatives to GhidraMCP

Compare all alternatives →

Microsoft's official browser-automation MCP using Playwright's accessibility tree (no vision model).

Featured
Verified
stdio (local)
No auth
TypeScript
12 tools
Updated 26 days agoRepo

Up-to-date, version-specific library documentation injected into your coding agent.

Verified
stdio (local)
API key
TypeScript
2 tools
Updated 1 month agoRepo

Pack any local or remote repository into one AI-ready file your agent can grep and read incrementally.

Unverified
stdio (local)
No auth
TypeScript
6 tools
Updated 5 hours agoRepo