Getting Started Guide
How to Install and Use Ghidra
This guide covers installing Ghidra, loading a binary, navigating the decompiler, and performing basic reverse engineering analysis.
Prerequisites
- -Java 17+ (JDK, not JRE)
- -A binary to analyze
Install Ghidra
Download Ghidra from the official GitHub releases. It's a portable application - no installation required.
Install Java first
sudo apt install openjdk-17-jdkDownload and extract
wget https://github.com/NationalSecurityAgency/ghidra/releases/latest -O ghidra.zip && unzip ghidra.zipLaunch Ghidra
cd ghidra_* && ./ghidraRunNote: Ghidra is developed by the NSA and released as open source. Despite the source, it's genuinely excellent and widely trusted by the security community.
Create a Project and Import a Binary
Ghidra organizes work into projects. Create one, then import the binary you want to analyze.
GUI steps
# File > New Project > Non-Shared Project
# Choose a directory and project name
# File > Import File > Select your binary
# Double-click the imported file to open in CodeBrowserNote: Ghidra supports PE (Windows), ELF (Linux), Mach-O (macOS), APK, firmware images, and many other formats. It auto-detects the format and architecture.
Auto Analysis
When you open a binary, Ghidra offers to run auto-analysis. Accept it - this identifies functions, strings, cross-references, and data types.
GUI steps
# Click 'Yes' when prompted for auto-analysis
# Use default analysis options
# Wait for analysis to complete (watch the progress bar)Note: Auto-analysis can take a few minutes for large binaries. It's doing function identification, disassembly, decompilation prep, and string extraction. Let it finish before you start exploring.
Navigate the Decompiler
The decompiler window shows C-like pseudocode for the selected function. This is Ghidra's killer feature.
Key navigation
# Click any function in the listing to see its decompiled code
# Double-click function calls to follow them
# Press 'G' to go to a specific address
# Use Window > Defined Strings to find all strings
# Right-click a function > Rename to give it a meaningful nameNote: Start with the Defined Strings window - searching for strings like 'password', 'error', 'http://', or 'key' often leads you straight to interesting functions. Renaming functions as you understand them makes the code progressively more readable.
Cross-References and Function Graphs
Understand how functions relate to each other using cross-references and control flow graphs.
Key features
# Right-click any function/variable > References > Show References To
# Window > Function Graph (visual control flow)
# Window > Function Call Graph (who calls what)
# Search > For Strings (find specific text in the binary)Note: Cross-references (xrefs) answer 'who calls this function?' and 'where is this string used?' - these are your primary navigation tools when analyzing unknown binaries.
Scripting with Ghidra
Ghidra has a built-in script manager for automating analysis tasks in Java or Python.
Open script manager
# Window > Script Manager
# Browse existing scripts by category
# Click the green play button to run a script
# Or write your own in Java/Python (Jython)Note: The built-in scripts include useful utilities like 'FindCrypt' (identifies crypto constants), 'SearchForStrings', and various deobfuscation helpers. The scripting API is well-documented in Ghidra's built-in help.