ghidra-headless
Reverse engineers binaries using Ghidra's headless analyzer. Use when decompiling executables, extracting functions, strings, symbols, or analyzing call graphs from compiled binaries without the Ghidra GUI.
Best use case
ghidra-headless is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Reverse engineers binaries using Ghidra's headless analyzer. Use when decompiling executables, extracting functions, strings, symbols, or analyzing call graphs from compiled binaries without the Ghidra GUI.
Teams using ghidra-headless should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/ghidra-headless/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How ghidra-headless Compares
| Feature / Agent | ghidra-headless | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Reverse engineers binaries using Ghidra's headless analyzer. Use when decompiling executables, extracting functions, strings, symbols, or analyzing call graphs from compiled binaries without the Ghidra GUI.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Ghidra Headless Analysis
Perform automated reverse engineering using Ghidra's `analyzeHeadless` tool.
Import binaries, run analysis, decompile to C code, and extract useful
information.
## When to Use
- Decompiling a binary to C pseudocode for review
- Extracting function signatures, strings, or symbols from executables
- Analyzing call graphs to understand binary control flow
- Triaging unknown binaries or firmware images
- Batch-analyzing multiple binaries for comparison
- Security auditing compiled code without source access
## When NOT to Use
- Source code is available — read it directly instead
- Interactive debugging is needed — use GDB, LLDB, or Ghidra GUI
- The binary is a .NET assembly — use dnSpy or ILSpy
- The binary is Java bytecode — use jadx or cfr
- Dynamic analysis is required — use a debugger or sandbox
## Quick Reference
| Task | Command |
|------|---------|
| Full analysis with all exports | `{baseDir}/scripts/ghidra-analyze.sh -s ExportAll.java -o ./output binary` |
| Decompile to C code | `{baseDir}/scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary` |
| List functions | `{baseDir}/scripts/ghidra-analyze.sh -s ExportFunctions.java -o ./output binary` |
| Extract strings | `{baseDir}/scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output binary` |
| Get call graph | `{baseDir}/scripts/ghidra-analyze.sh -s ExportCalls.java -o ./output binary` |
| Export symbols | `{baseDir}/scripts/ghidra-analyze.sh -s ExportSymbols.java -o ./output binary` |
| Find Ghidra path | `{baseDir}/scripts/find-ghidra.sh` |
## Prerequisites
- **Ghidra** must be installed. On macOS: `brew install --cask ghidra`
- **Java** (OpenJDK 17+) must be available
The skill automatically locates Ghidra in common installation paths. Set
`GHIDRA_HOME` environment variable if Ghidra is installed in a non-standard
location.
## Main Wrapper Script
```bash
{baseDir}/scripts/ghidra-analyze.sh [options] <binary>
```
Wrapper that handles project creation/cleanup and provides a simpler
interface to `analyzeHeadless`.
**Options:**
- `-o, --output <dir>` — Output directory for results (default: current dir)
- `-s, --script <name>` — Post-analysis script to run (can be repeated)
- `-a, --script-args <args>` — Arguments for the last specified script
- `--script-path <path>` — Additional script search path
- `-p, --processor <id>` — Processor/architecture (e.g., `x86:LE:32:default`)
- `-c, --cspec <id>` — Compiler spec (e.g., `gcc`, `windows`)
- `--no-analysis` — Skip auto-analysis (faster, but less info)
- `--timeout <seconds>` — Analysis timeout per file
- `--keep-project` — Keep the Ghidra project after analysis
- `--project-dir <dir>` — Directory for Ghidra project (default: /tmp)
- `--project-name <name>` — Project name (default: auto-generated)
- `-v, --verbose` — Verbose output
## Built-in Export Scripts
### ExportAll.java
Runs summary, decompilation, function list, strings, and interesting-pattern
exports. Does not include call graph or symbols — run ExportCalls.java and
ExportSymbols.java separately if needed. Best for initial analysis.
**Output files:**
- `{name}_summary.txt` — Overview: architecture, memory sections, function counts
- `{name}_decompiled.c` — All functions decompiled to C
- `{name}_functions.json` — Function list with signatures and calls
- `{name}_strings.txt` — All strings found (plain text; use ExportStrings.java for JSON)
- `{name}_interesting.txt` — Functions matching security-relevant patterns
```bash
{baseDir}/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
```
### ExportDecompiled.java
Decompile all functions to C pseudocode.
**Output:** `{name}_decompiled.c`
### ExportFunctions.java
Export function list as JSON with addresses, signatures, parameters, and
call relationships.
**Output:** `{name}_functions.json`
### ExportStrings.java
Extract all strings (ASCII, Unicode) with addresses.
**Output:** `{name}_strings.json`
### ExportCalls.java
Export function call graph showing caller/callee relationships. Includes
full call graph, potential entry points, and most frequently called functions.
**Output:** `{name}_calls.json`
### ExportSymbols.java
Export all symbols: imports, exports, and internal symbols.
**Output:** `{name}_symbols.json`
## Common Workflows
### Analyze an Unknown Binary
```bash
mkdir -p ./analysis
{baseDir}/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary
cat ./analysis/unknown_binary_summary.txt
cat ./analysis/unknown_binary_interesting.txt
```
### Analyze Firmware
```bash
{baseDir}/scripts/ghidra-analyze.sh \
-p "ARM:LE:32:v7" \
-s ExportAll.java \
-o ./firmware_analysis \
firmware.bin
```
### Quick Function Listing
```bash
{baseDir}/scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program
cat program_functions.json | jq '.functions[] | "\(.address): \(.name)"'
```
### Find Specific Patterns
```bash
# After running ExportDecompiled, search for patterns
grep -n "password\|secret\|key" output_decompiled.c
grep -n "strcpy\|sprintf\|gets" output_decompiled.c
```
## Architecture/Processor IDs
Common processor IDs for the `-p` option:
| Architecture | Processor ID |
|-------------|--------------|
| x86 32-bit | `x86:LE:32:default` |
| x86 64-bit | `x86:LE:64:default` |
| ARM 32-bit | `ARM:LE:32:v7` |
| ARM 64-bit | `AARCH64:LE:64:v8A` |
| MIPS 32-bit | `MIPS:BE:32:default` or `MIPS:LE:32:default` |
| PowerPC | `PowerPC:BE:32:default` |
## Troubleshooting
### Ghidra Not Found
```bash
{baseDir}/scripts/find-ghidra.sh
# Or set GHIDRA_HOME if in non-standard location
export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC
```
### Analysis Takes Too Long
```bash
{baseDir}/scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary
# Or skip analysis for quick export
{baseDir}/scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
```
### Out of Memory
Set before running:
```bash
export MAXMEM=4G
```
### Wrong Architecture Detected
Explicitly specify the processor:
```bash
{baseDir}/scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin
```
## Tips
1. **Start with ExportAll.java** — gives everything; the summary helps orient
2. **Check interesting.txt** — highlights security-relevant functions automatically
3. **Use jq for JSON parsing** — JSON exports are designed to be machine-readable
4. **Decompilation isn't perfect** — use as a guide, cross-reference with disassembly
5. **Large binaries take time** — use `--timeout` and consider `--no-analysis` for quick scansRelated Skills
x-research
Searches X/Twitter for real-time perspectives, dev discussions, product feedback, breaking news, and expert opinions using the X API v2. Provides search with engagement sorting, user profiles, thread fetching, watchlists, and result caching. Use when: (1) user says "x research", "search x for", "search twitter for", "what are people saying about", "what's twitter saying", "check x for", "x search", (2) user needs recent X discourse on a topic (library releases, API changes, product launches, industry events), (3) user wants to find what devs/experts/community thinks about a topic. NOT for: posting tweets or account management.
wooyun-legacy
Provides web vulnerability testing methodology distilled from 88,636 real-world cases from the WooYun vulnerability database (2010-2016). Use when performing penetration testing, security audits, code reviews for security flaws, or vulnerability research. Covers SQL injection, XSS, command execution, file upload, path traversal, unauthorized access, information disclosure, and business logic flaws.
skill-extractor
Extracts reusable skills from work sessions. Use when: (1) a non-obvious problem was solved worth preserving, (2) a pattern was discovered that would help future sessions, (3) a workaround or debugging technique needs documentation. Manual invocation only via /skill-extractor command - no automatic triggers or hooks.
security-awareness
Teaches agents to recognize and avoid security threats during normal activity. Covers phishing detection, credential protection, domain verification, and social engineering defense. Use when building or operating agents that access email, credential vaults, web browsers, or sensitive data.
scv-scan
Audits Solidity codebases for smart contract vulnerabilities using a four-phase workflow (cheatsheet loading, codebase sweep, deep validation, reporting) covering 36 vulnerability classes. Use when auditing Solidity contracts for security issues, performing smart contract vulnerability scans, or reviewing Solidity code for common exploit patterns.
react-pdf
Generates PDF documents using the React-PDF library (@react-pdf/renderer) with TypeScript and JSX. Use when creating PDFs, generating reports, invoices, forms, resumes, or any document that needs flexbox layout, SVG graphics, custom fonts, or professional typesetting. Prefer over Python PDF libraries (ReportLab, fpdf2) when layout complexity matters.
planning-with-files
Implements file-based planning for complex multi-step tasks. Creates task_plan.md, findings.md, and progress.md as persistent working memory. Use when starting tasks requiring >5 tool calls, multi-phase projects, research, or any work where losing track of goals and progress would be costly.
openai-yeet
Use only when the user explicitly asks to stage, commit, push, and open a GitHub pull request in one flow using the GitHub CLI (`gh`). Originally from OpenAI's curated skills catalog.
openai-spreadsheet
Use when tasks involve creating, editing, analyzing, or formatting spreadsheets (`.xlsx`, `.csv`, `.tsv`) using Python (`openpyxl`, `pandas`), especially when formulas, references, and formatting need to be preserved and verified. Originally from OpenAI's curated skills catalog.
openai-sentry
Use when the user asks to inspect Sentry issues or events, summarize recent production errors, or pull basic Sentry health data via the Sentry API; perform read-only queries with the bundled script and require `SENTRY_AUTH_TOKEN`. Originally from OpenAI's curated skills catalog.
openai-security-threat-model
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Trigger only when the user explicitly asks to threat model a codebase or path, enumerate threats/abuse paths, or perform AppSec threat modeling. Do not trigger for general architecture summaries, code review, or non-security design work. Originally from OpenAI's curated skills catalog.
openai-security-ownership-map
Analyze git repositories to build a security ownership topology (people-to-file), compute bus factor and sensitive-code ownership, and export CSV/JSON for graph databases and visualization. Trigger only when the user explicitly wants a security-oriented ownership or bus-factor analysis grounded in git history (for example: orphaned sensitive code, security maintainers, CODEOWNERS reality checks for risk, sensitive hotspots, or ownership clusters). Do not trigger for general maintainer lists or non-security ownership questions. Originally from OpenAI's curated skills catalog.