Skip to main content
Ghidra Agent performs binary analysis using GhidraMCP. It decompiles executables, identifies vulnerabilities in binary code, and documents internals for binaries where source code is not available.

What it does

  • Binary decompilation: decompiles functions and documents what they do in human-readable form
  • Vulnerability research: searches for buffer overflows, dangerous API calls, memory corruption patterns, and other binary-level vulnerabilities
  • Malware analysis: analyzes unknown or suspicious binaries to understand their behavior and capabilities
  • Cross-binary comparison: compares binaries to identify changes between versions, which is useful for patch diffing and regression analysis
  • Project lifecycle management: creates and manages Ghidra projects, uploads binaries, and runs automated analysis passes
  • File handling: accepts binaries via URL or local file upload directly into the analysis environment

How it fits in

Ghidra Agent is invoked for tasks involving binary targets: firmware, compiled applications, or any executable where source code is unavailable. It is also used in vulnerability research workflows to analyze published CVE patches and identify the vulnerable code path.