2025-06-27 –, Soprano B
Elevate your cybersecurity workflow with Ghidra’s robust support for command line tools in this immersive, hands-on workshop. Tailored for developers and security analysts, you'll be guided through setting up a high-performance development environment using the Ghidra Python VSCode Devcontainer. Learn how to automate repetitive tasks, create custom analysis scripts, and integrate Ghidra's cutting-edge decompilation and disassembly features—complete with full debugging support right in VS Code.
The session begins with the fundamentals, introducing you to custom CLI tool development through simple, practical examples. As you build on this foundation, the workshop culminates in a hands-on exercise where you will develop a Python3 Model Context Protocol (MCP) server compatible with Claude AI and other LLM clients. This dynamic MCP server acts as an interface for automating Ghidra tasks via natural language commands, paving the way for LLM-assisted reverse engineering. By the end of this workshop, you'll have firsthand experience building an MCP server, working with Ghidra's powerful program API, and gaining a deeper understanding of how LLMs can streamline automation and enhance your reverse engineering processes.
Workshop: Offensive Security Tool Development with Ghidra: From Custom CLI Tools to an MCP Server
- Sign up and get full details here! Workshop signup (not required)
Minimum prerequisites:
- Laptop (intel or arm)
- VS Code
- Docker
- For MCP LLM section (one of the following)
- Github free account (for ability to use free AI model tier)
- Claude for Desktop app with free tier account
- Laptop able to run a local model (see https://medium.com/@clearbluejar/supercharging-ghidra-using-local-llms-with-ghidramcp-via-ollama-and-openweb-ui-794cef02ecf7)
I. Introduction
- Overview of Ghidra and its capabilities
- The importance of command-line tools in reverse engineering
- Introduction to the Ghidra Python VSCode Devcontainer Skeleton
- Meet PyGhidra: Ghidra's official support for Python 3
II. Setting Up the Environment
- Cloning the repository and exploring its structure
- Setting up VSCode and the devcontainer for Ghidra scripting
III. Basic Ghidra Command-Line Operations
- Navigating PyGhidra and leveraging Ghidra’s Program API
- Importing and analyzing binaries
- Exploring various methods for scripting Ghidra in Python
- Following best practices for scripting and analysis
IV. Python Development with Ghidra
- Writing basic scripts to automate tasks in Ghidra
- Utilizing the Ghidra API for advanced scripting
- Debugging and optimizing scripts
- Leverage AI to kickstart your Ghidra scripts
Challenges:
- Analyze Binaries: Use PyGhidra to explore and analyze your first binary, focusing on enumerating functions, disassembly listings, leveraging typings, and Ghidra's Program API.
- Port Java-Based Script to Python 3: Learn how to translate useful Java Ghidra scripts into Python 3 while maintaining functionality.
- Automate Call Graph Analysis: Create a recursive Ghidra Python script to map and analyze function call graphs.
V. Advanced Techniques
- Integrating external tools and libraries with Ghidra scripts
- Customizing the devcontainer for specific use cases
Challenges:
- Automate Vulnerability Research: Develop a tool to automate decompilation using Ghidra’s built-in analysis and decompiler. Levarage Ghidra's program API to build a utilty to decompile all functions, and then scan all functions for vulnerability patterns leveraging the power of Semgrep.
VI. Building A Ghidra Model Context Protocol Server
- Understand the basic interaction between an LLM and MCP server
- Leverage Claude for Desktop to interface with your custom Ghidra MCP
Challenges
- Learn to build a custom Ghidra MCP to automate your Ghidra
VI. Q&A
- Open floor for participant questions
John McIntosh, @clearbluejar, is a security researcher at Clearseclabs. His area of expertise lies within reverse engineering and offensive security, where he demonstrates proficiency in binary analysis, patch diffing, and vulnerability discovery. Notably, John has developed multiple open-source security tools for vulnerability research, all of which are accessible on his GitHub page.
Additionally, his website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. Boasting over a decade of experience in offensive security, John is a distinguished presenter and educator at prominent security conferences internationally. He maintains a fervent commitment to sharing his latest research, acquiring fresh perspectives on binary analysis, and engaging in collaborative efforts with fellow security enthusiasts.