root@mr-resetti:~#

Setting up & Configuring GhidraMCP - Using AI for quick Malware Analysis

A while back, I came across an awesome video by LaurieWired which was talking about GhidraMCP, which is essentially an MCP (Model Context Protocol) designed for use with Ghidra. In this blog I will walk through the setup and use of this program, as I believe It’s capabilities are highly useful for an initial overview or quick analysis of a malicious file.

Prerequisites

First of all, go check out the Github repo for this project, it’s ideal to read alongside this post.

Then, download the latest GhidraMCP release, and extract it to a folder of your choice, you should have two files, "GhidraMCP-1-4.zip" (do NOT unzip the .zip) and "bridge_mcp_ghidra.py", as seen below:

image

After that, install the latest version of Python. If you want to go with the exact same version I use, I use 3.13.

Make sure to check “Add Python 3.13 to PATH” when installing.

image

After that, you should be able to go into a CMD prompt and run python --version and see that python has been successfully installed.

image

Since pip comes preinstalled with Python, you should be able to run the next required command, which will install the MCP SDK which is required for this project to work fully, the command is: pip install "mcp[cli]"

image

(Be sure to update your pip guys !!1!11!!!!1!)

Following that, you should install the Claude Desktop app, you can also use some different AI agents for this, some examples from Laurie’s repo include Cline, and 5ire

Finally, if you don’t already have Ghidra installed and setup, then I don’t even know why you are reading this blog post, however it should be made known that GhidraMCP only supports versions of Ghidra up to version 11.3.2, which you can download from this link. Hopefully Laurie will update the extension to the latest versions of Ghidra.

After installing Claude and that specific version of Ghidra, you should have everything downloaded and installed and be ready to set it all up.

Installation & Configuration

Open up Ghidra, and go to File > Install Extensions, you should see the box below

image

Select the big green plus sign in the top right and browse to where you saved the "GhidraMCP-1-4.zip" zip file, select it, and click OK, you should now have the GhidraMCP extension installed, make sure that the checkbox next to it is checked:

image

Then restart Ghidra for extensions changes to take effect.

When you have restarted Ghidra, put a random binary into it, don’t bother doing the initial auto-analysis, just click No, then go to File > Configure > (Make sure Developer is checked) then click Configure underneath Developer > Make sure GhidraMCPPlugin is checked, then click OK.

image

image

image

After that, you can click OK out of all of that, restart Ghidra, and then open Claude Desktop, and go to Claude > Settings > Developer > Edit Config > claude_desktop_config.json and add the following json data into it:

{
  "mcpServers": {
    "ghidra": {
      "command": "python",
      "args": [
        "\\ABSOLUTE_PATH_TO\\bridge_mcp_ghidra.py",
        "--ghidra-server",
        "http://127.0.0.1:8080/"
      ]
    }
  }
}

For example, since my GhidraMCP folder and bridge_mcp_ghidra.py is on my Desktop, my config will look like this:

{
  "mcpServers": {
    "ghidra": {
      "command": "python",
      "args": [
        "C:\\Users\\resetti\\Desktop\\GhidraMCP\\bridge_mcp_ghidra.py",
        "--ghidra-server",
        "http://127.0.0.1:8080/"
      ]
    }
  }
}

You should use my config as a guide for what your config should look like.

Once you have edited that config, save it, and close out Claude completely, this includes closing Claude from Task Manager or the little up arrow task bar thing on Windows I have no idea what its called lol.

Then, you should re-open Claude and see that the ghidra plugin has been enabled and is there:

image

If there are any errors, Claude should let you know about that when you open it. You can view the logs and figure it out from there.

Usage

(I should make it known at this point that it is common for Claude to say “you have used all of your time with Claude for today” after doing initial analysis on a binary unless you have a higher paid plan with Claude. Also, it is very hard for Claude and GhidraMCP to analyse large files, Claude will commonly stop before it finishes analysis. In this example with the DispCashBR malware, the binary was 44kb, so fairly small, and it completed its analysis with renaming functions/variables etc, overall, it was able to give a lot of information provide a solid overview of the malware. Just keep those two other things in mind when using this tooling.)

Once you see the plugin has been enabled and is there, you should be able to load up any binary in Ghidra and ask Claude to perform a specific task regarding analysing the binary, for example, I got a DispCashBR ATM malware sample and loaded it into Ghidra, selected “Yes” for the auto-analysis, then fed this prompt into Claude.

"rename the functions/variables/DATs inside this binary to what their functionality is, this is an ATM malware known as DispCashBR"

(Some prompts may be better than others, though this is what I use for an initial overview, feel free to get creative with it!)

After I pressed enter, Claude will ask for permission to use the tools provided by GhidraMCP, select “Allow always”. (This may pop up a few times for different functions)

image

Here we can see what the tool is actually doing when we allow it, as you can see it is renaming a variable from local_24a to cdm_service_handle, this is a LOT more useful for me to understand the binary and what it is doing.

image

We can also see Claude talking about its process through analysing the binary, as you can see it has already detected that the binary is using the WFS (Windows Financial Services) API, which is commonly used by ATMs to communicate with ATM hardware:

image

Once Claude has finished it’s analysis, it will give you a final document that explains its findings regarding the functionality of the binary, what variables/functions/etc it renamed

image

Here we can see all of Claude’s hard work in it’s glory:

image

We can also see in Ghidra, that the functions AND variables have been renamed to better names to help us understand the binary!

image

image

Keep in mind, not ALL of the variables for example will be renamed, this is not an all-in-one analysis solution for analysing malicious binaries, this specific malware was not packed or obfuscated at ALL, therefore it makes analysis a lot easier for Claude.

Overall, I use this tool quite frequently to get a solid overview of the binary and to highlight what functions I should start looking at first when it comes to analysis with Ghidra

I hope this tutorial/showcase was interesting and helpful, if you have any questions feel free to message me on Twitter/X

Thanks for reading.