Ghidra 无头分析技能：自动化逆向工程与二进制文件反编译工具

ghidra by mitsuhiko/agent-stuff

135 周安装量

1,800 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/mitsuhiko/agent-stuff --skill ghidra

自动化静态分析安全

🇨🇳中文介绍

Ghidra 无头分析技能

使用 Ghidra 的 analyzeHeadless 工具执行自动化逆向工程。导入二进制文件，运行分析，反编译为 C 代码，并提取有用信息。

快速参考

任务	命令
包含所有导出的完整分析	`ghidra-analyze.sh -s ExportAll.java -o ./output binary`
反编译为 C 代码	`ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary`
列出函数	`ghidra-analyze.sh -s ExportFunctions.java -o ./output binary`
提取字符串	`ghidra-analyze.sh -s ExportStrings.java -o ./output binary`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

FlyClaw：零登录航班聚合查询工具，Python实现多源航班信息与价格搜索

4,000,000 周安装

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

127,200 周安装

GitHub Actions 官方文档查询助手 - 精准解答 CI/CD 工作流问题

36,800 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

36,600 周安装

-o, --output <dir> - 结果输出目录（默认：当前目录）
-s, --script <name> - 要运行的分析后脚本（可重复）
-a, --script-args <args> - 最后指定脚本的参数
--script-path <path> - 额外的脚本搜索路径
-p, --processor <id> - 处理器/架构（例如，x86:LE:32:default）
-c, --cspec <id> - 编译器规范（例如，gcc, windows）
--no-analysis - 跳过自动分析（更快，但信息较少）
--timeout <seconds> - 每个文件的分析超时时间
--keep-project - 分析后保留 Ghidra 项目
--project-dir <dir> - Ghidra 项目目录（默认：/tmp）
--project-name <name> - 项目名称（默认：自动生成）
-v, --verbose - 详细输出

{name}_summary.txt - 概述：架构、内存段、函数数量
{name}_decompiled.c - 所有函数反编译为 C 代码
{name}_functions.json - 包含签名和调用的函数列表
{name}_strings.txt - 找到的所有字符串
{name}_interesting.txt - 匹配安全相关模式的函数

./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin

{
  "program": "example.exe",
  "architecture": "x86",
  "functions": [
    {
      "name": "main",
      "address": "0x00401000",
      "size": 256,
      "signature": "int main(int argc, char **argv)",
      "returnType": "int",
      "callingConvention": "cdecl",
      "isExternal": false,
      "parameters": [{"name": "argc", "type": "int"}, ...],
      "calls": ["printf", "malloc", "process_data"],
      "calledBy": ["_start"]
    }
  ]
}

# 创建输出目录
mkdir -p ./analysis

# 运行综合分析
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary

# 首先查看摘要
cat ./analysis/unknown_binary_summary.txt

# 查看有趣的模式（加密、网络、危险函数）
cat ./analysis/unknown_binary_interesting.txt

# 检查特定的反编译函数
grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c

架构	处理器 ID
x86 32 位	`x86:LE:32:default`
x86 64 位	`x86:LE:64:default`
ARM 32 位	`ARM:LE:32:v7`
ARM 64 位	`AARCH64:LE:64:v8A`
MIPS 32 位	`MIPS:BE:32:default` 或 `MIPS:LE:32:default`
PowerPC	`PowerPC:BE:32:default`

从 ExportAll.java 开始 - 它提供所有内容，摘要有助于定位
检查 interesting.txt 文件 - 它会自动高亮显示安全相关函数
使用 jq 解析 JSON - JSON 导出设计为机器可读
反编译并不完美 - 将其作为指南，与反汇编进行交叉参考
大型二进制文件需要时间 - 使用 --timeout 并考虑使用 --no-analysis 进行快速扫描

🇺🇸English

Ghidra Headless Analysis Skill

Perform automated reverse engineering using Ghidra's analyzeHeadless tool. Import binaries, run analysis, decompile to C code, and extract useful information.

Quick Reference

Task	Command
Full analysis with all exports	`ghidra-analyze.sh -s ExportAll.java -o ./output binary`
Decompile to C code	`ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary`
List functions	`ghidra-analyze.sh -s ExportFunctions.java -o ./output binary`
Extract strings	`ghidra-analyze.sh -s ExportStrings.java -o ./output binary`
Get call graph	`ghidra-analyze.sh -s ExportCalls.java -o ./output binary`
Export symbols	`ghidra-analyze.sh -s ExportSymbols.java -o ./output binary`
Find Ghidra path	`find-ghidra.sh`

Prerequisites

Ghidra must be installed. On macOS: brew install --cask ghidra
Java (OpenJDK 17+) must be available

The skill automatically locates Ghidra in common installation paths. Set GHIDRA_HOME environment variable if Ghidra is installed in a non-standard location.

Main Wrapper Script

./scripts/ghidra-analyze.sh [options] <binary>

Wrapper that handles project creation/cleanup and provides a simpler interface to analyzeHeadless.

Options:

-o, --output <dir> - Output directory for results (default: current dir)
-s, --script <name> - Post-analysis script to run (can be repeated)
-a, --script-args <args> - Arguments for the last specified script
--script-path <path> - Additional script search path
-p, --processor <id> - Processor/architecture (e.g., x86:LE:32:default)
-c, --cspec <id> - Compiler spec (e.g., gcc, windows)
--no-analysis - Skip auto-analysis (faster, but less info)

Built-in Export Scripts

ExportAll.java

Comprehensive export - runs all other exports and creates a summary. Best for initial analysis.

Output files:

{name}_summary.txt - Overview: architecture, memory sections, function counts
{name}_decompiled.c - All functions decompiled to C
{name}_functions.json - Function list with signatures and calls
{name}_strings.txt - All strings found
{name}_interesting.txt - Functions matching security-relevant patterns

./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin

ExportDecompiled.java

Decompile all functions to C pseudocode.

Output: {name}_decompiled.c

./scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe

ExportFunctions.java

Export function list as JSON with addresses, signatures, parameters, and call relationships.

Output: {name}_functions.json

{
  "program": "example.exe",
  "architecture": "x86",
  "functions": [
    {
      "name": "main",
      "address": "0x00401000",
      "size": 256,
      "signature": "int main(int argc, char **argv)",
      "returnType": "int",
      "callingConvention": "cdecl",
      "isExternal": false,
      "parameters": [{"name": "argc", "type": "int"}, ...],
      "calls": ["printf", "malloc", "process_data"],
      "calledBy": ["_start"]
    }
  ]
}

ExportStrings.java

Extract all strings (ASCII, Unicode) with addresses.

Output: {name}_strings.json

./scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe

ExportCalls.java

Export function call graph showing caller/callee relationships.

Output: {name}_calls.json

Includes:

Full call graph
Potential entry points (functions with no callers)
Most frequently called functions

ExportSymbols.java

Export all symbols: imports, exports, and internal symbols.

Output: {name}_symbols.json

Common Workflows

Analyze an Unknown Binary

# Create output directory
mkdir -p ./analysis

# Run comprehensive analysis
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary

# Review the summary first
cat ./analysis/unknown_binary_summary.txt

# Look at interesting patterns (crypto, network, dangerous functions)
cat ./analysis/unknown_binary_interesting.txt

# Check specific decompiled functions
grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c

Analyze Firmware

# Specify ARM architecture for firmware
./scripts/ghidra-analyze.sh \
    -p "ARM:LE:32:v7" \
    -s ExportAll.java \
    -o ./firmware_analysis \
    firmware.bin

Quick Function Listing

# Just get function names and addresses (faster)
./scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program

# Parse with jq
cat program_functions.json | jq '.functions[] | "\(.address): \(.name)"'

Find Specific Patterns

# After running ExportDecompiled, search for patterns
grep -n "password\|secret\|key" output_decompiled.c
grep -n "strcpy\|sprintf\|gets" output_decompiled.c

Analyze Multiple Binaries

for bin in ./samples/*; do
    name=$(basename "$bin")
    ./scripts/ghidra-analyze.sh -s ExportAll.java -o "./results/$name" "$bin"
done

Architecture/Processor IDs

Common processor IDs for the -p option:

Architecture	Processor ID
x86 32-bit	`x86:LE:32:default`
x86 64-bit	`x86:LE:64:default`
ARM 32-bit	`ARM:LE:32:v7`
ARM 64-bit	`AARCH64:LE:64:v8A`
MIPS 32-bit	`MIPS:BE:32:default` or `MIPS:LE:32:default`
PowerPC

Find all available processors:

ls "$(dirname $(./scripts/find-ghidra.sh))/../Ghidra/Processors/"

Troubleshooting

Ghidra Not Found

# Check if Ghidra is installed
./scripts/find-ghidra.sh

# Set GHIDRA_HOME if in non-standard location
export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC
./scripts/ghidra-analyze.sh ...

Analysis Takes Too Long

# Set a timeout (seconds)
./scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary

# Skip analysis for quick export
./scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary

Out of Memory

Edit the analyzeHeadless script or set:

export MAXMEM=4G

Wrong Architecture Detected

Explicitly specify the processor:

./scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin

Tips

Start with ExportAll.java - It gives you everything and the summary helps orient you
Check the interesting.txt file - It highlights security-relevant functions automatically
Use jq for JSON parsing - The JSON exports are designed to be machine-readable
Decompilation isn't perfect - Use it as a guide, cross-reference with disassembly
Large binaries take time - Use --timeout and consider --no-analysis for quick scans

Weekly Installs

135

Repository

mitsuhiko/agent-stuff

GitHub Stars

1.8K

First Seen

Jan 22, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

codex126

gemini-cli124

opencode121

cursor120

github-copilot109

claude-code105

Ghidra 无头分析技能：自动化逆向工程与二进制文件反编译工具

🇨🇳中文介绍

Ghidra 无头分析技能

快速参考

相关 Skills

先决条件

主包装脚本

内置导出脚本

ExportAll.java

ExportDecompiled.java

ExportFunctions.java

ExportStrings.java

ExportCalls.java

ExportSymbols.java

常见工作流程

分析未知二进制文件

分析固件

快速函数列表

查找特定模式

分析多个二进制文件

架构/处理器 ID

故障排除

未找到 Ghidra

分析时间过长

内存不足

检测到错误的架构

提示

🇺🇸English

Ghidra Headless Analysis Skill

Quick Reference

Prerequisites

Main Wrapper Script

Built-in Export Scripts

ExportAll.java

ExportDecompiled.java

ExportFunctions.java

ExportStrings.java

ExportCalls.java

ExportSymbols.java

Common Workflows

Analyze an Unknown Binary

Analyze Firmware

Quick Function Listing

Find Specific Patterns

Analyze Multiple Binaries

Architecture/Processor IDs

Troubleshooting

Ghidra Not Found

Analysis Takes Too Long

Out of Memory

Wrong Architecture Detected

Tips

最新 Skills