Skip to main content

Offensive Security Tool Development with Ghidra: From Custom CLI Tools to an MCP Server Recon 2025

· 4 min read
clearseclabs
clearseclabs
Cyber Security Research & Training

"We had an incredible time walking participants through the full arc—from scripting custom CLI tools in Ghidra to launching their own fully functional MCP servers. Watching people connect reverse engineering workflows to natural language interfaces felt like watching the future unfold in real time. The energy in the room was electric and the hands-on breakthroughs made this one of our most rewarding sessions yet. We wrapped up by meeting a ton of brilliant folks at the after party where great ideas and fresh perspectives flowed straight from the community." - CSL

The following is a workshop CLEARSECLABS delivered at Recon Montreal in 2025.

Elevate your cybersecurity workflow with Ghidra’s robust support for command line tools in this immersive, hands-on workshop. Tailored for developers and security analysts, you'll be guided through setting up a high-performance development environment using the Ghidra Python VSCode Devcontainer. Learn how to automate repetitive tasks, create custom analysis scripts, and integrate Ghidra's cutting-edge decompilation and disassembly features—complete with full debugging support right in VS Code.

The session begins with the fundamentals, introducing you to custom CLI tool development through simple, practical examples. As you build on this foundation, the workshop culminates in a hands-on exercise where you will develop a Python3 Model Context Protocol (MCP) server compatible with Claude AI and other LLM clients. This dynamic MCP server acts as an interface for automating Ghidra tasks via natural language commands, paving the way for LLM-assisted reverse engineering. By the end of this workshop, you'll have firsthand experience building an MCP server, working with Ghidra's powerful program API, and gaining a deeper understanding of how LLMs can streamline automation and enhance your reverse engineering processes.

Workshop: Offensive Security Tool Development with Ghidra: From Custom CLI Tools to an MCP Server

Minimum prerequisites:

  • Laptop (intel or arm)
  • VS Code
  • Docker
  • For MCP LLM section (one of the following)
  • Github free account (for ability to use free AI model tier)
  • Claude for Desktop app with free tier account
  • Laptop able to run a local model (see [https://medium.com/ @clearbluejar/supercharging-ghidra-using-local-llms-with-ghidramcp-via-ollama-and-openweb-ui-794cef02ecf7](https://medium.com/ @clearbluejar/supercharging-ghidra-using-local-llms-with-ghidramcp-via-ollama-and-openweb-ui-794cef02ecf7))

I. Introduction

  • Overview of Ghidra and its capabilities
  • The importance of command-line tools in reverse engineering
  • Introduction to the Ghidra Python VSCode Devcontainer Skeleton
  • Meet PyGhidra: Ghidra's official support for Python 3

II. Setting Up the Environment

  • Cloning the repository and exploring its structure
  • Setting up VSCode and the devcontainer for Ghidra scripting

III. Basic Ghidra Command-Line Operations

  • Navigating PyGhidra and leveraging Ghidra’s Program API
  • Importing and analyzing binaries
  • Exploring various methods for scripting Ghidra in Python
  • Following best practices for scripting and analysis

IV. Python Development with Ghidra

  • Writing basic scripts to automate tasks in Ghidra
  • Utilizing the Ghidra API for advanced scripting
  • Debugging and optimizing scripts
  • Leverage AI to kickstart your Ghidra scripts

Challenges:

  • Analyze Binaries: Use PyGhidra to explore and analyze your first binary, focusing on enumerating functions, disassembly listings, leveraging typings, and Ghidra's Program API.
  • Port Java-Based Script to Python 3: Learn how to translate useful Java Ghidra scripts into Python 3 while maintaining functionality.
  • Automate Call Graph Analysis: Create a recursive Ghidra Python script to map and analyze function call graphs.

V. Advanced Techniques

  • Integrating external tools and libraries with Ghidra scripts
  • Customizing the devcontainer for specific use cases

Challenges:

  • Automate Vulnerability Research: Develop a tool to automate decompilation using Ghidra’s built-in analysis and decompiler. Levarage Ghidra's program API to build a utilty to decompile all functions, and then scan all functions for vulnerability patterns leveraging the power of Semgrep.

VI. Building A Ghidra Model Context Protocol Server

  • Understand the basic interaction between an LLM and MCP server
  • Leverage Claude for Desktop to interface with your custom Ghidra MCP

Challenges

  • Learn to build a custom Ghidra MCP to automate your Ghidra

VI. Q&A

  • Open floor for participant questions

alt text