Ghidra
Ghidra is a professional-grade, open-source software reverse engineering (SRE) platform developed by the U.S. National Security Agency (NSA). It enables deep inspection of compiled binaries and executables, making it an essential tool for cybersecurity professionals, malware analysts, and vulnerability researchers.
As a full-featured decompiler and disassembler, Ghidra supports reverse engineering across multiple architectures (x86, x64, ARM, MIPS, PowerPC, and more) and executable formats (PE, ELF, Mach-O, etc.). It’s capable of performing static code analysis, control flow analysis, symbol recovery, and much more — all through a clean, modular interface. With its intuitive GUI and headless scripting capabilities, Ghidra empowers both beginner and expert analysts alike.
Unlike many commercial solutions such as IDA Pro, Ghidra is completely free and open-source under the Apache 2.0 License. It is trusted by government agencies, academic institutions, and independent researchers around the world. Ghidra is ideal for reverse engineering malware, conducting security audits of firmware or closed-source software, and learning the internals of compiled programs.
Key features:
- Interactive disassembler and decompiler with C-like output
- Powerful static analysis engine with support for custom processor modules
- Script automation in Java or Python using built-in API
- Project-based workflow with collaborative reverse engineering support
- Advanced graph views, function call trees, and control flow diagrams
- Cross-platform: runs on Windows, Linux, and macOS
- Free to use, no license restrictions, no telemetry
Whether you’re reverse engineering ransomware samples, performing binary patching, analyzing embedded firmware, or simply exploring software internals, Ghidra provides a powerful and flexible platform designed for large-scale reverse engineering tasks. Its strong integration with scripting, extensibility through plugins, and regular updates from NSA make it a standout tool in the modern cybersecurity toolkit.
Download Options
| Version | Platform | Download |
|---|---|---|
| 11.4.2 | Windows | Download |
| JDK 8+ | Windows | Download JDK |
Installation & quick start
Step 1: Install Java Development Kit (JDK) version 17 or later. Ghidra requires a 64-bit JDK to run. Use the bundled installer above or download the latest LTS from Adoptium.
Step 2: Extract the downloaded Ghidra archive into a new folder. Do not overwrite an existing installation.
Step 3: Launch Ghidra by running:
ghidraRun.bat(on Windows)./ghidraRun(on Linux/macOS)
Optional: For Python-based workflows, use pyGhidraRun.bat to enable scripting capabilities using Jython or external Python 3 via integration.
Common use cases
- Analyzing obfuscated malware or ransomware samples
- Understanding legacy code or proprietary file formats
- Inspecting embedded systems firmware or bootloaders
- Performing compliance reviews and code auditing
- Writing custom analysis scripts for repetitive SRE tasks
- Visualizing complex control flow in compiled executables
Useful Links
License: Apache License 2.0
Disclaimer: Ghidra is developed and maintained by the NSA and is widely trusted by researchers. It contains no spyware, telemetry, or licensing restrictions.