Lightweight MCP server for Ghidra-based reverse engineering with iOS, Linux, and game file support

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for johnzfitch from gravatar.com johnzfitch

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Zack Fitch
  • Maintainer: Zack Fitch
  • Tags elf , game-hacking , ghidra , ios , macho , mcp , reverse-engineering
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

pyghidra-lite

PyPI Python License MCP

Token-efficient MCP server for Ghidra-based reverse engineering. Analyze ELF, Mach-O, and PE binaries with Swift, Objective-C, and Hermes support.

Quick Start

1. Prerequisites

JDK 21+ and Ghidra 11.x are required.

# macOS
brew install openjdk@21
brew install --cask ghidra

# Ubuntu/Debian
sudo apt install openjdk-21-jdk
# Download Ghidra from https://ghidra-sre.org

# Arch Linux
sudo pacman -S jdk21-openjdk
yay -S ghidra

Ghidra at /opt/ghidra or ~/ghidra is found automatically. Set GHIDRA_INSTALL_DIR only for non-standard paths.

2. Install pyghidra-lite

pip install pyghidra-lite

3. Add to Claude Code

Create .mcp.json in your project (or ~/.claude.json for global):

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite"
    }
  }
}

4. Use it

You: Analyze the binary at /path/to/binaries/app

Claude: [calls load, info, code...]

Installation

PyPI (recommended)

pip install pyghidra-lite

Arch Linux (AUR)

yay -S python-pyghidra-lite

From source

git clone https://github.com/johnzfitch/pyghidra-lite
cd pyghidra-lite
pip install -e .

MCP Configuration

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "uvx",
      "args": ["pyghidra-lite"]
    }
  }
}

uvx auto-installs pyghidra-lite from PyPI on first run. Ghidra is auto-detected; set GHIDRA_INSTALL_DIR in env if needed:

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "uvx",
      "args": ["pyghidra-lite"],
      "env": {
        "GHIDRA_INSTALL_DIR": "/path/to/ghidra"
      }
    }
  }
}

Claude Code

Create .mcp.json in your project (or ~/.claude.json for global):

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite"
    }
  }
}

Direct mode (skip proxy)

For single-session use or debugging, run the server directly:

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["serve"]
    }
  }
}

With explicit Ghidra path

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": [
        "serve",
        "--ghidra-dir", "/path/to/ghidra"
      ]
    }
  }
}

Restrict to specific paths

By default, pyghidra-lite can load binaries from any path (the MCP client handles permissions). Use --restrict-path to lock down access:

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": [
        "serve",
        "--restrict-path", "/home/user/binaries",
        "--restrict-path", "/opt/targets"
      ]
    }
  }
}

Tools (8)

pyghidra-lite provides 8 consolidated tools that auto-detect format (ELF/Mach-O/PE) and language (Swift/ObjC/Hermes):

Tool Purpose Key Parameters
load Import and analyze binary path, profile?, fresh?, bootstrap?, bootstrap_mode?
delete Remove binary and cancel jobs name
binaries List binaries + job status jobs?, rank_sources?
info Binary overview binary, detail? (summary/full/format/sections/entropy)
functions List/search functions binary, query?, type? (all/swift/objc/imports/exports)
code Decompile or disassemble binary, target, what? (decompile/asm), cfg?
xrefs References and call graphs binary, target, direction?, depth?, diff?
search Find strings, bytes, symbols binary, query, type?, mode?, bg?

Examples

# Import and analyze
load("/path/to/binary", profile="fast")

# Version-track from a prior build, including synthetic IDs for unnamed code
load("/path/to/new.bin", profile="deep", bootstrap="old.bin", bootstrap_mode="all")

# Get overview with full triage
info("mybinary", detail="full")

# List Swift functions
functions("mybinary", type="swift")

# Decompile with CFG
code("mybinary", "main", cfg=True)

# Search strings in background
search("mybinary", ["password", "api_key"], bg=True)

# Get cross-references
xrefs("mybinary", "malloc", depth=2)

Auto-Detection

All tools automatically detect:

  • Format: ELF, Mach-O, PE
  • Language: Swift, Objective-C, Hermes/React Native
  • Runtime: Bun, Node.js, Electron, PyInstaller

Use the type and detail parameters to access format/language-specific features.

Bootstrap Modes

  • bootstrap_mode="named": transfer only meaningful source names (default).
  • bootstrap_mode="all": also assign stable synthetic labels to source FUN_* functions during transfer, which is useful for large version-to-version bootstrap workflows where uniqueness matters more than semantics.

Analysis Profiles

Profile Use Case
fast Quick triage, disables 20 slow analyzers (default)
default Balanced, full Ghidra analysis
deep Thorough analysis for obfuscated code

The server defaults to fast to stay within MCP timeout limits. Use load(fresh=True) to run deeper analysis when needed:

# Default import uses fast profile
load("/path/to/binary")

# Re-analyze with deep profile
load("/path/to/binary", profile="deep", fresh=True)

Token Efficiency

pyghidra-lite is designed for minimal token usage:

  • Compact output by default - functions(binary, type="all") returns minimal {name, addr} pairs
  • Opt-in detail - use info(detail="full"), code(cfg=True), or richer type/what modes only when needed
  • Progress reporting - large imports report progress every 10% or 60s
  • Truncated strings - long strings capped at 500 chars

Architecture

By default, pyghidra-lite runs as a lightweight stdio proxy (~10MB) that forwards to a persistent shared HTTP backend (~500MB JVM). Multiple sessions share a single JVM instead of each spawning their own.

Claude Code session 1 ──stdio──> proxy ──┐
Claude Code session 2 ──stdio──> proxy ──┼──HTTP──> shared backend (1 JVM)
Claude Code session 3 ──stdio──> proxy ──┘        localhost:19101

The proxy auto-starts the backend on first use and the backend auto-exits after 30 minutes of idle. A file lock prevents concurrent proxy starts from spawning duplicate backends.

Command What it does
pyghidra-lite Stdio proxy (default) -- auto-starts backend
pyghidra-lite serve Direct stdio server (1 JVM per session)
pyghidra-lite serve -t streamable-http Start persistent HTTP backend manually
pyghidra-lite stop Stop the shared backend

Set PYGHIDRA_LITE_NO_AUTOSTART=1 to disable auto-start (useful with systemd).

Multi-Agent Support

Each binary gets its own Ghidra project, enabling:

  • Parallel analysis of different binaries
  • Shared results across agents
  • Persistent analysis (survives restarts)
  • Content-addressed storage (same binary = same analysis)

Projects stored in ~/.local/share/pyghidra-lite/projects/.

Links

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for johnzfitch from gravatar.com johnzfitch

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Zack Fitch
  • Maintainer: Zack Fitch
  • Tags elf , game-hacking , ghidra , ios , macho , mcp , reverse-engineering
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.6.0

0.4.0

0.3.0

0.2.0

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyghidra_lite-0.6.0.tar.gz (172.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pyghidra_lite-0.6.0-py3-none-any.whl (89.8 kB view details)

Uploaded Python 3

File details

Details for the file pyghidra_lite-0.6.0.tar.gz.

File metadata

  • Download URL: pyghidra_lite-0.6.0.tar.gz
  • Upload date:
  • Size: 172.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyghidra_lite-0.6.0.tar.gz
Algorithm Hash digest
SHA256 c7ee9d64a3a244e73cdc3e4075936902c7aaf6199b5f5db347d8df0c458fd8eb
MD5 add39d922dc14d7d0897c19268e710d9
BLAKE2b-256 6d8c2e6114e485158fb2b0abf731cebcc926398ed0530436b38d922a710c57ca

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyghidra_lite-0.6.0.tar.gz:

Publisher: publish.yml on johnzfitch/pyghidra-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyghidra_lite-0.6.0-py3-none-any.whl.

File metadata

  • Download URL: pyghidra_lite-0.6.0-py3-none-any.whl
  • Upload date:
  • Size: 89.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyghidra_lite-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 5bb18dc449eb4e48d9f6ce605634f82c912d0f4042cddabc2d0083599ca4586f
MD5 c1da4e57de509b54b56f445f3b7da4a0
BLAKE2b-256 7edac69a62e88ce5081676ae3f160de180d1cd6994153a29c1dc43fb2da4ea44

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyghidra_lite-0.6.0-py3-none-any.whl:

Publisher: publish.yml on johnzfitch/pyghidra-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page