Lightweight MCP server for Ghidra-based reverse engineering with iOS, Linux, and game file support

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for johnzfitch from gravatar.com johnzfitch

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Zack Fitch
  • Maintainer: Zack Fitch
  • Tags elf , game-hacking , ghidra , ios , macho , mcp , reverse-engineering
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

pyghidra-lite

PyPI Python License MCP

Token-efficient MCP server for Ghidra-based reverse engineering. Analyze ELF, Mach-O, and PE binaries with Swift, Objective-C, and Hermes support.

Quick Start

1. Install Ghidra (11.x required)

# Arch Linux
yay -S ghidra

# Or download from https://ghidra-sre.org

Ghidra at /opt/ghidra or ~/ghidra is found automatically. Set GHIDRA_INSTALL_DIR only for non-standard paths.

2. Install pyghidra-lite

pip install pyghidra-lite

3. Add to Claude Code

Create .mcp.json in your project (or ~/.claude.json for global):

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["--allow-path", "/path/to/binaries"]
    }
  }
}

4. Use it

You: Analyze the binary at /path/to/binaries/app

Claude: [calls import_binary, list_functions, decompile...]

Installation

PyPI (recommended)

pip install pyghidra-lite

Arch Linux (AUR)

yay -S python-pyghidra-lite

From source

git clone https://github.com/johnzfitch/pyghidra-lite
cd pyghidra-lite
pip install -e .

MCP Configuration

Basic (allow specific paths)

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["--allow-path", "/home/user/binaries"]
    }
  }
}

With explicit Ghidra path

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": [
        "--ghidra-dir", "/path/to/ghidra",
        "--allow-path", "/home/user/binaries"
      ]
    }
  }
}

Multiple paths

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": [
        "--allow-path", "/home/user/binaries",
        "--allow-path", "/opt/targets"
      ]
    }
  }
}

Allow any path (development only)

{
  "mcpServers": {
    "pyghidra-lite": {
      "command": "pyghidra-lite",
      "args": ["--allow-any-path"]
    }
  }
}

Tools

Core (3)

Tool Description
import_binary Import binary with async progress reporting
delete_binary Remove from project
reanalyze Re-run with different profile

Discovery (4)

Tool Description
list_binaries List loaded binaries
list_functions Functions with metadata (compact by default)
list_imports Imports with capability tags
list_exports Exported symbols

Analysis (8)

Tool Description
get_function_info Function metadata and callers/callees
disassemble Assembly for a function
decompile Pseudo-C with callees and strings
batch_decompile Decompile multiple functions
get_xrefs Cross-references
get_callees What a function calls
call_graph Call graph with configurable depth
memory_map Memory layout with permissions

Search (2)

Tool Description
search_strings Strings with xrefs
search_symbols Symbol name search

Data (2)

Tool Description
read_bytes Raw memory
read_string Null-terminated string

ELF (4)

Tool Description
elf_info ELF structure summary
elf_sections ELF sections
elf_symbols ELF symbols
elf_got_plt GOT/PLT entries

Mach-O (3)

Tool Description
macho_info Mach-O structure summary
macho_segments Segments and sections
macho_dylibs Linked dylibs

Swift (4)

Tool Description
swift_functions Swift functions (demangled)
swift_types Swift types from metadata
swift_decompile Decompile with demangled names
demangle Swift symbol demangling

Objective-C (3)

Tool Description
objc_classes Objective-C classes
objc_methods Objective-C methods
objc_decompile Method decompile

Hermes (3)

Tool Description
hermes_info Hermes bundle summary
hermes_components React component names
hermes_endpoints API endpoints/URLs

Analysis Profiles

Profile Use Case
fast Quick triage, disables 20 slow analyzers (default)
default Balanced, full Ghidra analysis
deep Thorough analysis for obfuscated code

The server defaults to fast to stay within MCP timeout limits. Use reanalyze to run deeper analysis when needed:

# Default import uses fast profile
import_binary("/path/to/binary")

# Re-analyze with deep profile when you need more detail
reanalyze("binary-name", profile="deep")

Token Efficiency

pyghidra-lite is designed for minimal token usage:

  • Compact output by default - list_functions returns minimal fields
  • Opt-in verbosity - pass compact=false for full metadata
  • Progress reporting - large imports report progress every 10% or 60s
  • Truncated strings - long strings capped at 500 chars

Multi-Agent Support

Each binary gets its own Ghidra project, enabling:

  • Parallel analysis of different binaries
  • Shared results across agents
  • Persistent analysis (survives restarts)
  • Content-addressed storage (same binary = same analysis)

Projects stored in ~/.local/share/pyghidra-lite/projects/.

Links

License

MIT

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for johnzfitch from gravatar.com johnzfitch

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Zack Fitch
  • Maintainer: Zack Fitch
  • Tags elf , game-hacking , ghidra , ios , macho , mcp , reverse-engineering
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.6.0

0.4.0

This version

0.3.0

0.2.0

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyghidra_lite-0.3.0.tar.gz (119.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pyghidra_lite-0.3.0-py3-none-any.whl (58.7 kB view details)

Uploaded Python 3

File details

Details for the file pyghidra_lite-0.3.0.tar.gz.

File metadata

  • Download URL: pyghidra_lite-0.3.0.tar.gz
  • Upload date:
  • Size: 119.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyghidra_lite-0.3.0.tar.gz
Algorithm Hash digest
SHA256 e65622e5cad3abb0eb6f51a1119cc37134d66c57f275d3d6be20e869d07b8ac6
MD5 ef947323e2c5e53ee05928670d0e27bd
BLAKE2b-256 7f9d6c291012ccb8072cb03c55001d39920372e5565aaf32d336c6ca740b8f83

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyghidra_lite-0.3.0.tar.gz:

Publisher: publish.yml on johnzfitch/pyghidra-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyghidra_lite-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: pyghidra_lite-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 58.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyghidra_lite-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 11bc7fbb8b98ce973de4cb732f10e2a37b909c4fb124299fd42fc9669963eef3
MD5 536af86a3e38629efc9b7329723ee012
BLAKE2b-256 d617788b999d3cc4be3d2c53c8f1bdbfc327e1bae14211cd3f087ec526e8f6f6

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyghidra_lite-0.3.0-py3-none-any.whl:

Publisher: publish.yml on johnzfitch/pyghidra-lite

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page