General
Installation
-
Download the latest release from https://github.com/NationalSecurityAgency/ghidra/releases
-
Extract the release
-
Change to the extracted directory and run
./ghidraRun
Upgrade Ghidra
Simply follow the instructions above under Installation to download and run the latest release. The previous release directory can be deleted. You will be prompted as needed to upgrade Ghidra projects.
Basic usage
-
If there are no projects, create one
File > New Project
-
Select a project
-
Import file
File > Import File
-
Double-click the file to open it
-
If prompted to analyse, click Yes
Defaults should be fine in most cases
- Wait for the analysis to finish; see the status bar in the lower right
Go to a specific address
-
Navigation > Go To
-
To go to a memory address (e.g. what you’ll get from a backtrace in gdb), just type in the address
💡 It’s recommended to prefix the offset with
0x
, otherwise Ghidra may interpret it as decimal if it doesn’t contain letters -
To go to a file address (i.e. a binary offset in a file), use this syntax:
file(offset)
e.g.
file(0x20e3a79)
-
Functions
List functions
Window > Functions
Show functions for a specific type
Put the type name in the Filter box at the bottom of the Functions window
Find references to a function
- Select a function in the Functions window
- Go to the Decompile window and right-click the function name near the top > References > Find references to …
Location of function parameters
ⓘ Function parameters can be on the stack or in registers
To see the location of function parameters from within a function:
- Go to a function from the Functions window or by double-clicking on it in the Decompile window
-
Scroll to the top of the disassembly of the function in the Listing window. From here you can see the location of the parameters, for example:
Stack[0x4]4 this
- The
this
parameter is on byte 4 of the stack ($esp+0x4) and is 4 bytes long
- The
If you look at where the function is called from other parts of the code, the parameters are typically set in the assembly instructions immediately prior to the CALL
in reverse order, e.g.
MOV
parameter 2 to $esp+0x4MOV
parameter 1 to top of stack ($esp)CALL
👉 There may a discrepancy between the stack locations where a function is called and inside the function itself, because the address of the called function gets added to the stack. So a parameter at $esp+0x4 when called may end up at $esp+0x8 in the function.
Types
Show type information
Right-click a type or variable > Edit Data Type
Variables
Highlight a variable
ⓘ This makes it easier to see where a variable is used
Right-click > Secondary Highlight > Set Highlight
Rename a variable
ⓘ If you can figure out what a variable does, renaming it will make it much easier to understand the function
Right-click > Rename Variable
Debugging with Ghidra and gdb
Source: Decompiling and Debugging with Ghidra
ⓘ Debugging with Ghidra is pretty CPU and memory intensive. For larger binaries it might be best to start with gdb first to narrow down the issue.
Prerequisites
- Python 3.7+
- python3-psutil
- python3-protobuf
Start debugger
-
Import the file into Ghidra, analyse it, and wait for the analysis to complete
-
In the Ghidra project window (the main window where the files are listed), right-click the file to debug > Open With > Debugger
-
Debugger > Configure and Launch using … > gdb
-
Interact with gdb as usual in the terminal (set breakpoints, etc.) then type
run
to startⓘ For more info, see gdb
Troubleshooting
If the path to the file you’re debugging has quotes and you see No such file or directory
:
-
Change to the directory using
cd
- Don’t put quotes around the path
-
Load the file using
file
Troubleshooting
Failed to exec spawn helper
If you see a message containing Failed to exec spawn helper
, e.g.
Decompiler: Unable to initialize the DecompilerInterface: Cannot run program Failed to exec spawn helper
This could be due to the JDK being upgraded while Ghidra is running. This can happen, for example, on Ubuntu which will automatically upgrade certain packages for security. Check the logs to confirm, e.g.
$ tail /var/log/apt/history.log
Start-Date: 2025-07-25 09:46:43
Commandline: /usr/bin/unattended-upgrade
Upgrade: openjdk-21-jdk-headless:amd64 (21.0.7+6~us1-0ubuntu1~24.04, 21.0.8+9~us1-0ubuntu1~24.04.1), openjdk-21-jdk:amd64 (21.0.7+6~us1-0ubuntu1~24.04, 21.0.8+9~us1-0ubuntu1~24.04.1), openjdk-21-jre:amd64 (21.0.7+6~us1-0ubuntu1~24.04, 21.0.8+9~us1-0ubuntu1~24.04.1), openjdk-21-jre-headless:amd64 (21.0.7+6~us1-0ubuntu1~24.04, 21.0.8+9~us1-0ubuntu1~24.04.1)
End-Date: 2025-07-25 09:46:46