Back to Details

ghidra

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Ghidra Headless Analysis Skill

Ghidra 无头分析技能

Perform automated reverse engineering using Ghidra's 
analyzeHeadless
tool. Import binaries, run analysis, decompile to C code, and extract useful information.
使用Ghidra的
analyzeHeadless
工具执行自动化逆向工程。导入二进制文件、运行分析、反编译为C代码并提取有用信息。

Quick Reference

快速参考

TaskCommand
Full analysis with all exports
ghidra-analyze.sh -s ExportAll.java -o ./output binary
Decompile to C code
ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary
List functions
ghidra-analyze.sh -s ExportFunctions.java -o ./output binary
Extract strings
ghidra-analyze.sh -s ExportStrings.java -o ./output binary
Get call graph
ghidra-analyze.sh -s ExportCalls.java -o ./output binary
Export symbols
ghidra-analyze.sh -s ExportSymbols.java -o ./output binary
Find Ghidra path
find-ghidra.sh
任务命令
全分析并导出所有内容
ghidra-analyze.sh -s ExportAll.java -o ./output binary
反编译为C代码
ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary
列出函数
ghidra-analyze.sh -s ExportFunctions.java -o ./output binary
提取字符串
ghidra-analyze.sh -s ExportStrings.java -o ./output binary
获取调用图
ghidra-analyze.sh -s ExportCalls.java -o ./output binary
导出符号
ghidra-analyze.sh -s ExportSymbols.java -o ./output binary
查找Ghidra路径
find-ghidra.sh

Prerequisites

前置条件

  • Ghidra must be installed. On macOS: 
    brew install --cask ghidra
  • Java (OpenJDK 17+) must be available
The skill automatically locates Ghidra in common installation paths. Set 
GHIDRA_HOME
environment variable if Ghidra is installed in a non-standard location.
  • Ghidra 必须已安装。在macOS上:
    brew install --cask ghidra
  • Java(OpenJDK 17+)必须可用
本技能会自动在常见安装路径中查找Ghidra。如果Ghidra安装在非标准位置,请设置
GHIDRA_HOME
环境变量。

Main Wrapper Script

主包装脚本

bash
./scripts/ghidra-analyze.sh [options] <binary>
Wrapper that handles project creation/cleanup and provides a simpler interface to 
analyzeHeadless
.
Options:
  • -o, --output <dir>
    - Output directory for results (default: current dir)
  • -s, --script <name>
    - Post-analysis script to run (can be repeated)
  • -a, --script-args <args>
    - Arguments for the last specified script
  • --script-path <path>
    - Additional script search path
  • -p, --processor <id>
    - Processor/architecture (e.g., 
    x86:LE:32:default
    )
  • -c, --cspec <id>
    - Compiler spec (e.g., 
    gcc
    , 
    windows
    )
  • --no-analysis
    - Skip auto-analysis (faster, but less info)
  • --timeout <seconds>
    - Analysis timeout per file
  • --keep-project
    - Keep the Ghidra project after analysis
  • --project-dir <dir>
    - Directory for Ghidra project (default: /tmp)
  • --project-name <name>
    - Project name (default: auto-generated)
  • -v, --verbose
    - Verbose output
bash
./scripts/ghidra-analyze.sh [options] <binary>
该包装脚本负责项目的创建/清理,并为
analyzeHeadless
提供更简洁的接口。
选项:
  • -o, --output <dir>
    - 结果输出目录(默认:当前目录)
  • -s, --script <name>
    - 要运行的分析后脚本(可重复指定)
  • -a, --script-args <args>
    - 最后指定的脚本的参数
  • --script-path <path>
    - 额外的脚本搜索路径
  • -p, --processor <id>
    - 处理器/架构(例如:
    x86:LE:32:default
  • -c, --cspec <id>
    - 编译器规格(例如:
    gcc
    , 
    windows
  • --no-analysis
    - 跳过自动分析(速度更快,但信息更少)
  • --timeout <seconds>
    - 每个文件的分析超时时间
  • --keep-project
    - 分析完成后保留Ghidra项目
  • --project-dir <dir>
    - Ghidra项目的存储目录(默认:/tmp)
  • --project-name <name>
    - 项目名称(默认:自动生成)
  • -v, --verbose
    - 详细输出

Built-in Export Scripts

内置导出脚本

ExportAll.java

ExportAll.java

Comprehensive export - runs all other exports and creates a summary. Best for initial analysis.
Output files:
  • {name}_summary.txt
    - Overview: architecture, memory sections, function counts
  • {name}_decompiled.c
    - All functions decompiled to C
  • {name}_functions.json
    - Function list with signatures and calls
  • {name}_strings.txt
    - All strings found
  • {name}_interesting.txt
    - Functions matching security-relevant patterns
bash
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
全面导出 - 运行所有其他导出脚本并生成摘要。最适合初始分析。
输出文件:
  • {name}_summary.txt
    - 概述:架构、内存段、函数数量
  • {name}_decompiled.c
    - 所有函数反编译为C代码
  • {name}_functions.json
    - 函数列表,包含签名和调用关系
  • {name}_strings.txt
    - 找到的所有字符串
  • {name}_interesting.txt
    - 匹配安全相关模式的函数
bash
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin

ExportDecompiled.java

ExportDecompiled.java

Decompile all functions to C pseudocode.
Output: 
{name}_decompiled.c
bash
./scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe
将所有函数反编译为C伪代码。
输出: 
{name}_decompiled.c
bash
./scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe

ExportFunctions.java

ExportFunctions.java

Export function list as JSON with addresses, signatures, parameters, and call relationships.
Output: 
{name}_functions.json
json
{
  "program": "example.exe",
  "architecture": "x86",
  "functions": [
    {
      "name": "main",
      "address": "0x00401000",
      "size": 256,
      "signature": "int main(int argc, char **argv)",
      "returnType": "int",
      "callingConvention": "cdecl",
      "isExternal": false,
      "parameters": [{"name": "argc", "type": "int"}, ...],
      "calls": ["printf", "malloc", "process_data"],
      "calledBy": ["_start"]
    }
  ]
}
以JSON格式导出函数列表,包含地址、签名、参数和调用关系。
输出: 
{name}_functions.json
json
{
  "program": "example.exe",
  "architecture": "x86",
  "functions": [
    {
      "name": "main",
      "address": "0x00401000",
      "size": 256,
      "signature": "int main(int argc, char **argv)",
      "returnType": "int",
      "callingConvention": "cdecl",
      "isExternal": false,
      "parameters": [{"name": "argc", "type": "int"}, ...],
      "calls": ["printf", "malloc", "process_data"],
      "calledBy": ["_start"]
    }
  ]
}

ExportStrings.java

ExportStrings.java

Extract all strings (ASCII, Unicode) with addresses.
Output: 
{name}_strings.json
bash
./scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe
提取所有字符串(ASCII、Unicode)及其地址。
输出: 
{name}_strings.json
bash
./scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe

ExportCalls.java

ExportCalls.java

Export function call graph showing caller/callee relationships.
Output: 
{name}_calls.json
Includes:
  • Full call graph
  • Potential entry points (functions with no callers)
  • Most frequently called functions
导出函数调用图,展示调用者/被调用者关系。
输出: 
{name}_calls.json
包含:
  • 完整调用图
  • 潜在入口点(无调用者的函数)
  • 调用最频繁的函数

ExportSymbols.java

ExportSymbols.java

Export all symbols: imports, exports, and internal symbols.
Output: 
{name}_symbols.json
导出所有符号:导入、导出和内部符号。
输出: 
{name}_symbols.json

Common Workflows

常见工作流

Analyze an Unknown Binary

分析未知二进制文件

bash
undefined
bash
undefined

Create output directory

创建输出目录

mkdir -p ./analysis
mkdir -p ./analysis

Run comprehensive analysis

运行全面分析

./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary
./scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary

Review the summary first

先查看摘要

cat ./analysis/unknown_binary_summary.txt
cat ./analysis/unknown_binary_summary.txt

Look at interesting patterns (crypto, network, dangerous functions)

查看感兴趣的模式(加密、网络、危险函数)

cat ./analysis/unknown_binary_interesting.txt
cat ./analysis/unknown_binary_interesting.txt

Check specific decompiled functions

查看特定反编译函数

grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c
undefined
grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c
undefined

Analyze Firmware

分析固件

bash
undefined
bash
undefined

Specify ARM architecture for firmware

为固件指定ARM架构

./scripts/ghidra-analyze.sh
-p "ARM:LE:32:v7"
-s ExportAll.java
-o ./firmware_analysis
firmware.bin
undefined
./scripts/ghidra-analyze.sh
-p "ARM:LE:32:v7"
-s ExportAll.java
-o ./firmware_analysis
firmware.bin
undefined

Quick Function Listing

快速函数列表

bash
undefined
bash
undefined

Just get function names and addresses (faster)

仅获取函数名称和地址(速度更快)

./scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program
./scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program

Parse with jq

使用jq解析

cat program_functions.json | jq '.functions[] | "(.address): (.name)"'
undefined
cat program_functions.json | jq '.functions[] | "(.address): (.name)"'
undefined

Find Specific Patterns

查找特定模式

bash
undefined
bash
undefined

After running ExportDecompiled, search for patterns

运行ExportDecompiled后,搜索模式

grep -n "password|secret|key" output_decompiled.c grep -n "strcpy|sprintf|gets" output_decompiled.c
undefined
grep -n "password|secret|key" output_decompiled.c grep -n "strcpy|sprintf|gets" output_decompiled.c
undefined

Analyze Multiple Binaries

分析多个二进制文件

bash
for bin in ./samples/*; do
    name=$(basename "$bin")
    ./scripts/ghidra-analyze.sh -s ExportAll.java -o "./results/$name" "$bin"
done
bash
for bin in ./samples/*; do
    name=$(basename "$bin")
    ./scripts/ghidra-analyze.sh -s ExportAll.java -o "./results/$name" "$bin"
done

Architecture/Processor IDs

架构/处理器ID

Common processor IDs for the 
-p
option:
ArchitectureProcessor ID
x86 32-bit
x86:LE:32:default
x86 64-bit
x86:LE:64:default
ARM 32-bit
ARM:LE:32:v7
ARM 64-bit
AARCH64:LE:64:v8A
MIPS 32-bit
MIPS:BE:32:default
or 
MIPS:LE:32:default
PowerPC
PowerPC:BE:32:default
Find all available processors:
bash
ls "$(dirname $(./scripts/find-ghidra.sh))/../Ghidra/Processors/"
-p
选项常用的处理器ID:
架构处理器ID
x86 32位
x86:LE:32:default
x86 64位
x86:LE:64:default
ARM 32位
ARM:LE:32:v7
ARM 64位
AARCH64:LE:64:v8A
MIPS 32位
MIPS:BE:32:default
MIPS:LE:32:default
PowerPC
PowerPC:BE:32:default
查找所有可用处理器:
bash
ls "$(dirname $(./scripts/find-ghidra.sh))/../Ghidra/Processors/"

Troubleshooting

故障排除

Ghidra Not Found

找不到Ghidra

bash
undefined
bash
undefined

Check if Ghidra is installed

检查Ghidra是否已安装

./scripts/find-ghidra.sh
./scripts/find-ghidra.sh

Set GHIDRA_HOME if in non-standard location

如果安装在非标准位置,设置GHIDRA_HOME

export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC ./scripts/ghidra-analyze.sh ...
undefined
export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC ./scripts/ghidra-analyze.sh ...
undefined

Analysis Takes Too Long

分析耗时过长

bash
undefined
bash
undefined

Set a timeout (seconds)

设置超时时间(秒)

./scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary
./scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary

Skip analysis for quick export

跳过分析以快速导出

./scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
undefined
./scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
undefined

Out of Memory

内存不足

Edit the 
analyzeHeadless
script or set:
bash
export MAXMEM=4G
编辑
analyzeHeadless
脚本或设置:
bash
export MAXMEM=4G

Wrong Architecture Detected

检测到错误的架构

Explicitly specify the processor:
bash
./scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin
显式指定处理器:
bash
./scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin

Tips

提示

  1. Start with ExportAll.java - It gives you everything and the summary helps orient you
  2. Check the interesting.txt file - It highlights security-relevant functions automatically
  3. Use jq for JSON parsing - The JSON exports are designed to be machine-readable
  4. Decompilation isn't perfect - Use it as a guide, cross-reference with disassembly
  5. Large binaries take time - Use 
    --timeout
    and consider 
    --no-analysis
    for quick scans
  1. 从ExportAll.java开始 - 它会导出所有内容,摘要可帮助你快速了解整体情况
  2. 查看interesting.txt文件 - 它会自动高亮显示安全相关的函数
  3. 使用jq解析JSON - JSON导出文件专为机器可读性设计
  4. 反编译并非完美 - 将其作为参考,结合反汇编代码交叉验证
  5. 大型二进制文件需要时间 - 使用
    --timeout
    ,对于快速扫描可考虑
    --no-analysis