Ghidra MCP Tools Reference

Manage your reverse engineering workbench session, check backend health, and handle cached projects.

• ghidra_health: Checks whether Ghidra headless analysis is available and correctly path-mapped.
• ghidra_inventory: Lists all binaries currently imported and available in your decompiler workspace.
• ghidra_lock_status: Check if a binary has active locks from running decompile or import tasks.
• ghidra_cached_metadata: Retrieve parsed format, compiler, architecture, and basic properties of cached target.
• ghidra_import: Manually trigger headless import and analysis of an executable target.
• ghidra_delete: Remove a binary and its associated database files from the cache workspace.

                        {
  "tool": "ghidra_health",
  "arguments": {}
}
                      

Extract structure information, symbol catalogs, namespaces, strings, and instruction constants.

• ghidra_list_functions: Page or filter through recognized function definitions in the executable.
• ghidra_imports: Lists imported external symbols and dynamic libraries.
• ghidra_exports: Lists exported symbols from the target executable.
• ghidra_symbols: Searches for global symbols matching a substring pattern.
• ghidra_namespaces: Lists all code namespaces, classes, and scopes.
• ghidra_data_types: Lists defined structs, typedefs, and data types.
• ghidra_search_strings: Searches target binary for ASCII/Unicode strings.
• ghidra_defined_data: Finds declared data values, constants, and structured strings.
• ghidra_string_context: Retrieves string references with decompiled C snippets from all caller functions.
• ghidra_function_stats: Computes cyclomatic complexity, instruction count, block count, and call count.

                        {
  "tool": "ghidra_symbols",
  "arguments": {
    "binary_name": "payload.exe",
    "query": "crypto_"
  }
}
                      

Extract clean C-like pseudocode, trace register/variable data flow, and analyze basic-block branching.

• ghidra_decompile: Returns standard decompiled pseudocode of a targeted function address or symbol.
• ghidra_decompile_meta: Fetches decompiled pseudocode with adjacent caller/callee context.
• ghidra_decompiler_calls: Summarizes external/internal calls made inside the function block.
• ghidra_decompiler_cfg: Obtains decompiler-simplified control flow blocks and branch targets.
• ghidra_decompiler_memory: Tracks read/write memory access patterns per decompiler block.
• ghidra_decompiler_block_behavior: Classifies logic behaviors (loops, checks, logic families) per block.
• ghidra_decompiler_slice: Traces code variables to compute forward or backward decompiler slices.
• ghidra_function_slices: High-level callsite, field, buffer, and indirect data slices.
• ghidra_path_digest: Compact block and event digest for a function path.
• ghidra_variables: Lists function parameters and local stack variables.
• ghidra_search_decompilation: Bounded regex search across decompiled pseudocode blocks.

                        {
  "tool": "ghidra_decompile",
  "arguments": {
    "binary_name": "payload.exe",
    "function_address": "sym.decrypt_data"
  }
}
                      

Scan threat behaviors, identify anti-analysis routines, trace instruction constants, and inspect metadata.

• ghidra_behaviors: Scans for behavior pattern indicators (filesystem, process injection, registry).
• ghidra_anti_analysis: Detects anti-debugging, anti-VM, timing checks, and PEB access.
• ghidra_function_checkpoints: Evaluates P-code checkpoints with detailed stack delta analysis.
• ghidra_constants: Scans instruction immediate operands for range or exact matches.
• ghidra_go_metadata: Recovers module, package, compiler, and type metadata for Go binaries.
• ghidra_callgraph: Traverses caller/callee graphs with custom depth limits.
• ghidra_cfg: Returns low-level basic-block control flow graph.
• ghidra_xrefs: Returns cross-references (callers/callees) to a target offset.
• ghidra_dynamic_dispatch_table: Attempts to recover virtual method tables using seed pointers.