Ghidra is a free, open-source reverse engineering framework developed and released by the NSA. It competes directly with IDA Pro — a tool that costs thousands of dollars — and for many use cases it matches or exceeds it. Ghidra can disassemble and decompile binaries for x86, x86-64, ARM, MIPS, PowerPC, and dozens of other architectures. If you want to understand how software works at the machine level, analyze malware, crack CTF challenges, or audit closed-source applications, Ghidra is your starting point.
Installing Ghidra
Ghidra requires Java 17 or later. Install it on Kali Linux with:
sudo apt update && sudo apt install ghidra -y
Or download the latest release from ghidra-sre.org, extract the archive, and launch:
unzip ghidra_11.x_PUBLIC.zip
cd ghidra_11.x_PUBLIC
./ghidraRun
On first launch, Ghidra opens a project manager. Create a new non-shared project and give it a name — every binary you analyze lives inside a project.
Importing a Binary
Drag and drop a binary into the project window, or go to File > Import File. Ghidra auto-detects the format (ELF, PE, Mach-O, raw binary) and architecture. For a standard Linux ELF:
# Grab a simple test binary
gcc -o hello hello.c
Import hello into Ghidra. The import dialog shows detected language (x86:LE:64:default for a 64-bit Linux binary) and compiler (gcc). Accept the defaults and click OK, then double-click the binary to open the CodeBrowser.
The CodeBrowser Interface
The CodeBrowser is Ghidra’s main analysis workspace. Key panels:
- Listing (center) — Disassembly view. Every instruction is shown with its address, bytes, and mnemonic.
- Decompiler (right) — Pseudo-C output derived from the disassembly. This is Ghidra’s killer feature.
- Symbol Tree (left) — Functions, labels, imports, exports organized in a tree.
- Data Type Manager (bottom left) — Known struct and type definitions.
- Program Trees — Segments and sections of the binary (.text, .data, .bss).
Running Auto-Analysis
When you first open a binary, Ghidra asks if you want to run auto-analysis. Always say yes. Auto-analysis runs dozens of analyzers that:
- Identify function boundaries
- Recover calling conventions
- Apply known library signatures (via Function ID and FLIRT-style matching)
- Mark strings and cross-references
- Detect switch tables
Analysis can take a few seconds for small binaries or several minutes for large ones. Watch the progress bar at the bottom right.
Navigating the Listing and Decompiler
Press G to go to any address. Press F to search for functions by name. Click any function in the Symbol Tree to jump to it in both the Listing and Decompiler simultaneously.
In the Decompiler panel, you’ll see output like:
undefined8 main(void)
{
puts("Hello, World!");
return 0;
}
This is not perfect C — it’s a best-effort reconstruction. Variable names like local_10 or param_1 are auto-generated. Rename them by right-clicking and selecting Rename Variable (shortcut: L). Good naming transforms unreadable code into something you can actually reason about.
Renaming and Retyping
Reverse engineering is largely an exercise in progressive refinement. As you figure out what a variable or function does:
- Press L on a variable or function to rename it.
- Press T to retype a variable (e.g., change
undefined * to char *).
- Right-click a struct field offset and choose Auto Create Structure to let Ghidra infer a struct layout from usage patterns.
These changes propagate everywhere in the project, making the codebase progressively more readable.
Finding Strings and Cross-References
Strings are often the fastest way to orient yourself in an unknown binary.
Window > Defined Strings lists every string Ghidra found. Search for interesting terms like “password”, “error”, “admin”, or “key”. Click any string to jump to its location in the Listing.
Once at a string, press X (or right-click > References > Show References to Address) to see every location in the binary that references it. This is how you find the function that prints an error message, for example.
Analyzing Malware: Practical Workflow
When analyzing a suspicious binary:
- Static properties first — Check imports (DLL names, syscalls), strings, and entropy before opening in Ghidra. High entropy sections suggest packing or encryption.
- Entry point — Start at
_start or main. Follow calls outward.
- Suspicious API calls — Look for
VirtualAlloc, WriteProcessMemory, CreateRemoteThread (Windows) or mmap, ptrace, execve (Linux).
- Deobfuscate strings — Malware often XOR-encodes strings. Identify the decryption loop in the Decompiler and use Ghidra’s Script Manager to run a Python script that decodes them.
# Example Ghidra script to XOR-decode a string at a known address
from ghidra.program.model.mem import MemoryAccessException
addr = currentProgram.getAddressFactory().getAddress("0x00401234")
key = 0x42
data = []
for i in range(32):
b = getByte(addr.add(i)) & 0xFF
data.append(chr(b ^ key))
print(''.join(data))
Run scripts via Window > Script Manager, search for your script, and click the green play button.
Patching Binaries
Ghidra lets you patch instructions directly. Right-click an instruction in the Listing and choose Patch Instruction. Change a conditional jump (JNZ) to an unconditional jump (JMP) to bypass a license check, for example. Export the patched binary via File > Export Program > Original File with the patch applied.
Collaboration with Ghidra Server
Ghidra supports a shared server mode where multiple analysts work on the same project simultaneously. Start the server with:
./server/svrAdmin -add username
./ghidra-server start
Team members connect through File > New Project > Shared Project. Changes merge in real time, making Ghidra practical for large malware analysis teams.
Learning Resources and CTF Practice
The best way to learn reverse engineering is practice. Good starting points:
- Crackmes.one — Community-submitted reverse engineering challenges.
- picoCTF — Beginner-friendly CTF with RE categories.
- pwn.college — Structured RE and binary exploitation training.
- Ghidra’s own CheatSheet.html in the installation directory.
Conclusion
Ghidra is a professional-grade reverse engineering tool that costs nothing. Its decompiler dramatically accelerates analysis compared to reading raw assembly, and its scripting API lets you automate repetitive tasks. Start with simple binaries — compiled “Hello World” programs or easy crackme challenges — build your vocabulary of x86 instructions, and gradually work up to real-world software. Reverse engineering is a skill that rewards patience and curiosity above all else.