Ghidra — Install, Use, Optimise (2026)

NSA's open-source reverse engineering platform — disassembler, decompiler, scriptable analysis for x86, ARM, MIPS, and 50+ architectures.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Linux/macOS

wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.x_build/ghidra_11.x_PUBLIC.zip; unzip; ./ghidraRun

0

Java 17+ required

Linux (apt — older)

sudo apt install ghidra

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Launch

./ghidraRun

Headless analysis (CLI)

./support/analyzeHeadless ./projects MyProj -import target.exe -postScript MyAnalysis.java

Apply bookmarks programmatically

In Script Manager: New Script → save Java/Python

Export decompiled C

File → Export Program → C/C++

BinDiff with another version

File → Diff → Open Other Program

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• First analysis of large binary (>50MB): 5-30 min. Disable analyzers you don’t need (e.g., “Demangler GNU” off for Windows binaries).
• -Xmx8G in support/launch.properties — default 4G, bigger binaries need more.
• Headless mode (analyzeHeadless) is 2-3× faster than GUI for batch processing — automate with Java/Python scripts.
• Function signature import: load PDB or symbol files BEFORE analysis runs — auto-rename gives you a head start.
• Caching: keep projects on SSD, not network drive. GUI lag is mostly disk I/O.
• Decompiler quality varies wildly per architecture — x86/x64 great, MIPS/ARM-Thumb good, exotic targets (PowerPC, RISC-V) less polished.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Decompilation is BEST EFFORT. Always cross-check with disassembly — decompiler hides important details (stack alignment, calling convention quirks).
• Stripped + obfuscated binaries (modern malware): function recovery can fail. Run FindCryptScanner.java + manual function-start identification.
• Project corruption on Java crashes — checkpoint frequently (File → Save Project) on important work.
• Default colors/keybinds aren’t great. Import ghidra-dark theme + IDA-style keybinds for productivity.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• IDA Pro — commercial gold standard ($1500-3500/yr).
• Binary Ninja — modern, scriptable, $300-800.
• radare2 / Cutter — free CLI/GUI, less polished.

India context and engagement notes

Ghidra is the right tool for malware analysis on a budget. For Indian incident response (post-breach binary triage), Ghidra + YARA is fully sufficient — IDA Pro license cost is hard to justify unless you do RE full-time.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.