Lightweight MCP server for Ghidra-based reverse engineering with iOS, Linux, and game file support

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for johnzfitch from gravatar.com johnzfitch

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Zack Fitch
  • Maintainer: Zack Fitch
  • Tags elf , game-hacking , ghidra , ios , macho , mcp , reverse-engineering
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

pyghidra-lite

PyPI Python License MCP

Token-efficient MCP server for Ghidra-based reverse engineering. Analyze ELF, Mach-O, and PE binaries with Swift, Objective-C, and Hermes support.

Quick Start

1. Install Ghidra (11.x required)

# Arch Linux
yay -S ghidra

# Or download from https://ghidra-sre.org

Ghidra at /opt/ghidra or ~/ghidra is found automatically. Set GHIDRA_INSTALL_DIR only for non-standard paths.

2. Install pyghidra-lite

pip install pyghidra-lite

3. Add to Claude Code

Create .mcp.json in your project (or ~/.claude.json for global):

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["--allow-path", "/path/to/binaries"]
    }
  }
}

4. Use it

You: Analyze the binary at /path/to/binaries/app

Claude: [calls import_binary, list_functions, decompile...]

Installation

PyPI (recommended)

pip install pyghidra-lite

Arch Linux (AUR)

yay -S python-pyghidra-lite

From source

git clone https://github.com/johnzfitch/pyghidra-lite
cd pyghidra-lite
pip install -e .

MCP Configuration

Basic (allow specific paths)

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["--allow-path", "/home/user/binaries"]
    }
  }
}

With explicit Ghidra path

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": [
        "--ghidra-dir", "/path/to/ghidra",
        "--allow-path", "/home/user/binaries"
      ]
    }
  }
}

Multiple paths

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": [
        "--allow-path", "/home/user/binaries",
        "--allow-path", "/opt/targets"
      ]
    }
  }
}

Allow any path (development only)

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["--allow-any-path"]
    }
  }
}

Tools

Core (3)

Tool Description
import_binary Import binary with async progress reporting
delete_binary Remove from project
reanalyze Re-run with different profile

Discovery (4)

Tool Description
list_binaries List loaded binaries
list_functions Functions with metadata (compact by default)
list_imports Imports with capability tags
list_exports Exported symbols

Analysis (8)

Tool Description
get_function_info Function metadata and callers/callees
disassemble Assembly for a function
decompile Pseudo-C with callees and strings
batch_decompile Decompile multiple functions
get_xrefs Cross-references
get_callees What a function calls
call_graph Call graph with configurable depth
memory_map Memory layout with permissions

Search (2)

Tool Description
search_strings Strings with xrefs
search_symbols Symbol name search

Data (2)

Tool Description
read_bytes Raw memory
read_string Null-terminated string

ELF (4)

Tool Description
elf_info ELF structure summary
elf_sections ELF sections
elf_symbols ELF symbols
elf_got_plt GOT/PLT entries

Mach-O (3)

Tool Description
macho_info Mach-O structure summary
macho_segments Segments and sections
macho_dylibs Linked dylibs

Swift (4)

Tool Description
swift_functions Swift functions (demangled)
swift_types Swift types from metadata
swift_decompile Decompile with demangled names
demangle Swift symbol demangling

Objective-C (3)

Tool Description
objc_classes Objective-C classes
objc_methods Objective-C methods
objc_decompile Method decompile

Hermes (3)

Tool Description
hermes_info Hermes bundle summary
hermes_components React component names
hermes_endpoints API endpoints/URLs

Analysis Profiles

Profile Use Case
fast Quick triage, disables 20 slow analyzers (default)
default Balanced, full Ghidra analysis
deep Thorough analysis for obfuscated code

The server defaults to fast to stay within MCP timeout limits. Use reanalyze to run deeper analysis when needed:

# Default import uses fast profile
import_binary("/path/to/binary")

# Re-analyze with deep profile when you need more detail
reanalyze("binary-name", profile="deep")

Token Efficiency

pyghidra-lite is designed for minimal token usage:

  • Compact output by default - list_functions returns minimal fields
  • Opt-in verbosity - pass compact=false for full metadata
  • Progress reporting - large imports report progress every 10% or 60s
  • Truncated strings - long strings capped at 500 chars

Multi-Agent Support

Each binary gets its own Ghidra project, enabling:

  • Parallel analysis of different binaries
  • Shared results across agents
  • Persistent analysis (survives restarts)
  • Content-addressed storage (same binary = same analysis)

Projects stored in ~/.local/share/pyghidra-lite/projects/.

Links

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for johnzfitch from gravatar.com johnzfitch

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Zack Fitch
  • Maintainer: Zack Fitch
  • Tags elf , game-hacking , ghidra , ios , macho , mcp , reverse-engineering
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.6.0

0.4.0

0.3.0

This version

0.2.0

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyghidra_lite-0.2.0.tar.gz (105.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pyghidra_lite-0.2.0-py3-none-any.whl (51.2 kB view details)

Uploaded Python 3

File details

Details for the file pyghidra_lite-0.2.0.tar.gz.

File metadata

  • Download URL: pyghidra_lite-0.2.0.tar.gz
  • Upload date:
  • Size: 105.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyghidra_lite-0.2.0.tar.gz
Algorithm Hash digest
SHA256 8fa85c5abeea132caf2f43f39872dc865f067e5bacac9979afca04d31d41681d
MD5 3339d9ae46698242ec14ddc4ca1be517
BLAKE2b-256 43bf48c2a2bcfaf7b86387799738c104b4856651f5e7155045b7f17151acab31

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyghidra_lite-0.2.0.tar.gz:

Publisher: publish.yml on johnzfitch/pyghidra-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyghidra_lite-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: pyghidra_lite-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 51.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyghidra_lite-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 80cff277ac7491aaf647a7d0c25807f6c2426d930741bfe423cb32a22b9153a1
MD5 3ca1803ddc4ae603f235be7489368f56
BLAKE2b-256 8f269e22a7150f6b80b6200706e5727553b78d0f8e655bc1cd3fdca902309946

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyghidra_lite-0.2.0-py3-none-any.whl:

Publisher: publish.yml on johnzfitch/pyghidra-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page