MCP server for Ghidra API workflow retrieval

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Taardisaa from gravatar.com Taardisaa

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Taardisaa
  • Tags api , ghidra , mcp , reverse-engineering , workflow
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

Ghidra-Script-Helper

A MCP tool that helps LLMs write correct Ghidra scripts by providing API-callflows extracted from Ghidra's own source code.

Problem Statement

LLMs frequently get Ghidra API call sequences wrong. Decompiling a function isn't a single API call; it requires constructing a DecompInterface, calling openProgram(), obtaining a Function, invoking decompileFunction(), checking decompileCompleted(), and calling dispose(). Miss any step and the script silently fails.

This tool automatically extracts these workflow patterns from Ghidra's own source code, indexes them vis chromadb, and serves them via MCP so any agent tools can query them.

MCP Tools

Tool Purpose Input
initialize_index Build the RAG database (run once before first use) Optional path to local Ghidra source
get_index_info Show Ghidra version, build timestamp, and record counts
clear_index Delete the index (use before a clean rebuild)
get_workflows Find API call sequences for a task Natural-language task description
get_api_doc Look up a class or method (fuzzy match) Class/method name or keyword
list_related_apis Find co-occurring APIs Class name

Example

initialize_index()                                    # first-time setup; clones Ghidra automatically
initialize_index("/path/to/ghidra")                   # or point at a local Ghidra source tree

get_workflows("decompile a function to C code")

Returns:

Workflow: decompileFunction
Source: Ghidra/Features/Decompiler/src/test/...

1. new DecompInterface()
2. ifc.openProgram(...)       [uses ifc from step 1]
3. program.getListing().getFunctionAt(...)
4. ifc.decompileFunction(...) [uses func from step 3]
5. res.decompileCompleted()
6. res.getDecompiledFunction().getC()
7. ifc.dispose()

Setup

Quick start (from PyPI)

1. Add the server to Claude Code:

claude mcp add ghidra-workflow -- uvx ghidra-api-mcp

Or for Claude Desktop, add to your config file (~/.config/Claude/claude_desktop_config.json on Linux, ~/Library/Application Support/Claude/claude_desktop_config.json on macOS, %APPDATA%\Claude\claude_desktop_config.json on Windows):

{
  "mcpServers": {
    "ghidra-workflow": {
      "command": "uvx",
      "args": ["ghidra-api-mcp"]
    }
  }
}

2. Build the index on first use:

Call initialize_index from Claude — it will clone Ghidra automatically and build the RAG database (takes 10–30 minutes). Subsequent sessions reuse the built index.

From source

git clone https://github.com/Taardisaa/Ghidra-Script-Helper.git
cd Ghidra-Script-Helper
python3 -m venv .venv
.venv/bin/pip install -e ".[dev]"

Add to Claude Code:

claude mcp add ghidra-workflow -- uv run --directory /path/to/Ghidra-Script-Helper ghidra-api-mcp

Or build the index offline first (CLI):

# Auto-clone Ghidra
ghidra-api-mcp-admin build-index

# Or point at a local Ghidra source tree
ghidra-api-mcp-admin build-index --ghidra-path /path/to/ghidra

Inspect / test without MCP:

ghidra-api-mcp-admin inspect info                               # get_index_info
ghidra-api-mcp-admin inspect workflows "decompile a function"   # get_workflows
ghidra-api-mcp-admin inspect api-doc DecompInterface            # get_api_doc
ghidra-api-mcp-admin inspect related DecompInterface            # list_related_apis

Clear the index:

ghidra-api-mcp-admin clear-index

How It Works

[1. Collect]  Enumerate Java files from Ghidra source (tests, examples, main code)
      ↓
[2. Parse]    tree-sitter Java → AST
      ↓
[3. Extract]  Identify ghidra.* API calls per function
              Track variable assignments to build data-flow edges
              Build call-chain graphs: call_A --output_feeds--> call_B
      ↓
[4. Index]    Store call chains + source snippets in ChromaDB
              Embed with semantic vectors for natural-language search
      ↓
[5. Serve]    MCP server retrieves relevant workflows at query time

Data sources are ranked by trust: Ghidra's own tests and examples surface first, main source code second.

Development

# Run tests
.venv/bin/pytest -v

# Lint
.venv/bin/ruff check src/ tests/

Note

Warnings when indexing chromadb: The following error may appear during indexing:

[W:onnxruntime:Default, device_discovery.cc:164 DiscoverDevicesForPlatform] GPU device discovery failed: device_discovery.cc:89 ReadFileContents Failed to open file: "/sys/class/drm/card0/device/vendor"

This is expected. It will fallback to CPU embedding if GPU is unavailable.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for Taardisaa from gravatar.com Taardisaa

Unverified details

These details have not been verified by PyPI
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Taardisaa
  • Tags api , ghidra , mcp , reverse-engineering , workflow
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

1.0.3

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ghidra_api_mcp-1.0.3.tar.gz (30.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ghidra_api_mcp-1.0.3-py3-none-any.whl (24.2 kB view details)

Uploaded Python 3

File details

Details for the file ghidra_api_mcp-1.0.3.tar.gz.

File metadata

  • Download URL: ghidra_api_mcp-1.0.3.tar.gz
  • Upload date:
  • Size: 30.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ghidra_api_mcp-1.0.3.tar.gz
Algorithm Hash digest
SHA256 526eec723fb3cdfb097facd04f9353094d181ab6225d3d86a593c60968e18d72
MD5 63e07b28d69f369b7a3cdc220958dc3c
BLAKE2b-256 36072912e0ee4e2300b3411b39ede7391f03785db87a3fa972ad16df3dc6ce99

See more details on using hashes here.

Provenance

The following attestation bundles were made for ghidra_api_mcp-1.0.3.tar.gz:

Publisher: pypi.yml on Taardisaa/ghidra-api-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ghidra_api_mcp-1.0.3-py3-none-any.whl.

File metadata

  • Download URL: ghidra_api_mcp-1.0.3-py3-none-any.whl
  • Upload date:
  • Size: 24.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for ghidra_api_mcp-1.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 bbc85d54c07b1f0f6f039112f14dbf79eda263b1e55e65fb8ee0f1eb532e3a6e
MD5 a2ac171e0c62d0daa7ab5c2eaae35fc1
BLAKE2b-256 a357262cb248f933a4a3c33bd4a89b484d98bd23470641a31dc101294193c512

See more details on using hashes here.

Provenance

The following attestation bundles were made for ghidra_api_mcp-1.0.3-py3-none-any.whl:

Publisher: pypi.yml on Taardisaa/ghidra-api-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page