Kawaiidra MCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Kawaiidra MCPcan you decompile the main function?"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Kawaiidra MCP
A Ghidra MCP Server for Claude Code - Binary Analysis Made Adorable
Keywords: ghidra mcp ghidra-mcp model-context-protocol binary-analysis reverse-engineering decompiler disassembler claude claude-code
A general-purpose Ghidra MCP server that brings the power of Ghidra's headless analyzer and decompiler to Claude Code and other MCP-compatible AI assistants.
Features
Core Features
Analyze any binary: PE (Windows), ELF (Linux), Mach-O (macOS), and raw firmware
Decompile functions: Get C code from compiled binaries
Disassembly: View assembly listings
Cross-references: Find function callers and callees
String analysis: Search and list strings in binaries
Export results: Save analysis to JSON for further processing
Multi-project support: Organize analyses into separate Ghidra projects
Advanced Analysis (LLM-Optimized)
Call graphs: Extract hierarchical function relationships
Library detection: Identify OpenSSL, zlib, Qt, Windows API, and more
Semantic search: Find code by behavior (file I/O, network, crypto, memory ops)
Context extraction: Get functions with all dependencies for complete understanding
Data structures: Extract struct/class definitions and enums
Control flow graphs: Analyze function logic with basic blocks
Vulnerability detection: Pattern-based security analysis with CWE mapping
Function similarity: Find code reuse based on structural fingerprints
Smart naming: Suggest better symbol names based on usage patterns
iOS Security Research Tools
KPP/KTRR detection: Identify kernel patch protection mechanisms
Mach trap analysis: Analyze syscall tables and trap handlers
PAC gadget finder: Locate pointer authentication gadgets for ARM64e
Sandbox analysis: Examine sandbox operations and policy checks
IOKit class finder: Map IOKit class hierarchies and user clients
Entitlement checks: Detect entitlement validation code paths
Kernel symbols: Find and analyze XNU kernel symbols
Mach port analysis: Analyze IPC and port operations
Android & Mobile Analysis Tools
Crypto constants: Find AES S-boxes, CRC tables, and crypto magic numbers
JNI methods: Analyze JNI_OnLoad, Java_* exports, and RegisterNatives calls
API endpoints: Extract URLs, hostnames, IP addresses, and API paths
Hardcoded secrets: Find API keys, tokens, passwords, and credentials
Binary comparison: Diff two binaries to find added/removed/modified functions
GUI Mode & Context Tracking
Dual-mode support: Works in both headless and GUI-connected modes
Context tracking: Automatically tracks current address/function from tool operations
GUI integration: Connect to running Ghidra GUI via ghidra_bridge for real-time selection
Cursor-aware analysis: Get/set current address and function for workflow continuity
Performance
Kawaiidra supports two execution modes:
Mode | Speed | Setup |
JPype Bridge (default) | ~1-50ms per call | Requires Java JDK 17+ |
Subprocess (fallback) | ~5-15s per call | Works out of the box |
The JPype bridge keeps a JVM running in-process, eliminating the ~5-15 second startup overhead of spawning analyzeHeadless for each operation. This is 100-1000x faster for sequential operations.
┌────────────────────────────────────────────────────┐
│ 10 function decompilations: │
│ │
│ Subprocess mode: ~2-3 minutes │
│ JPype Bridge: ~0.5 seconds │
└────────────────────────────────────────────────────┘Requirements
Python 3.10+
Ghidra 11.0+ (tested with 11.x and 12.0, fully compatible with Ghidra 12.0)
MCP Python package:
pip install mcp
For Maximum Performance (Recommended)
Java JDK 17+ (for JPype bridge)
JPype1:
pip install JPype1
Quick Start
1. Install Ghidra
Option A: Homebrew (macOS/Linux) - Recommended
# macOS
brew install ghidra
# Linux (Homebrew)
brew install ghidraOption B: Manual Installation Download Ghidra from ghidra-sre.org and extract it.
2. Install Dependencies
cd kawaiidra-mcp
pip install -r requirements.txt2b. Enable Fast Mode (Recommended)
For 100-1000x faster operations, install JPype and ensure Java is available:
# Install JPype
pip install JPype1
# Verify Java JDK 17+ is installed
java -versionInstalling Java if needed:
# macOS
brew install openjdk@17
# Ubuntu/Debian
sudo apt install openjdk-17-jdk
# Windows (winget)
winget install EclipseAdoptium.Temurin.17.JDKThe bridge auto-enables when both JPype and Java are available. Use the bridge_status tool to verify.
3. Configure Ghidra Path (Optional)
The server auto-detects Ghidra installations in common locations. If auto-detection fails or you want to use a specific version, set GHIDRA_INSTALL_DIR:
Homebrew installations (usually auto-detected):
# macOS (Apple Silicon)
export GHIDRA_INSTALL_DIR=/opt/homebrew
# macOS (Intel)
export GHIDRA_INSTALL_DIR=/usr/local
# Linux
export GHIDRA_INSTALL_DIR=/home/linuxbrew/.linuxbrewManual installations:
# Windows
set GHIDRA_INSTALL_DIR=C:\ghidra_11.2_PUBLIC
# Linux/macOS
export GHIDRA_INSTALL_DIR=/opt/ghidra
export GHIDRA_INSTALL_DIR=/Applications/ghidra_11.2_PUBLIC4. Use with Claude Code
Open the kawaiidra-mcp folder in Claude Code. The MCP server will automatically load from .mcp.json.
Or add to your Claude Code config:
{
"mcpServers": {
"kawaiidra": {
"type": "stdio",
"command": "python",
"args": ["/path/to/kawaiidra-mcp/run_server.py"],
"env": {
"GHIDRA_INSTALL_DIR": "/path/to/ghidra"
}
}
}
}5. Analyze a Binary
Place your binary in the
binaries/folder, or use an absolute pathUse the
analyze_binarytool to import and analyzeUse other tools to explore the analysis
Available Tools
Core Analysis Tools
Tool | Description |
| Import and analyze a binary file |
| List binaries in current project |
| List all functions in a binary |
| Search functions by name pattern |
| Decompile function to C code |
| Get assembly listing |
| Get cross-references to/from function |
| Search strings by pattern |
| List all defined strings |
| Get binary metadata (arch, format, etc.) |
| Get memory segments/sections |
| Export analysis to JSON file |
| View cache hit rate and performance statistics |
| Clear cached results |
| Check if fast JPype bridge mode is active |
| Generate comprehensive binary analysis report |
| List exported functions and symbols |
| List imported functions from external libraries |
| List defined data labels and values |
| List all namespaces and classes |
| Rename a function in the analysis |
| Rename a data label at an address |
| Rename a local variable within a function |
| Add comments at specific addresses |
| Set a function's signature |
| Set the type of a local variable |
Advanced Analysis Tools (LLM-Optimized)
Tool | Description |
| Extract call hierarchy showing function relationships |
| Identify standard libraries, frameworks, and third-party code |
| Search for code by behavior (file I/O, network, crypto, etc.) |
| Get function with all dependencies for complete LLM understanding |
| Extract struct/class definitions and data types |
| Extract CFG with basic blocks for logic flow analysis |
| Detect security vulnerabilities using pattern analysis |
| Find functions similar to a reference based on structure |
| Get richly annotated disassembly with xrefs and comments |
| Suggest better variable/function names based on usage |
iOS Security Research Tools
Tool | Description |
| Detect KPP, KTRR, PPL, and AMFI kernel protections |
| Analyze Mach trap table and syscall handlers |
| Find PAC signing/authentication gadgets for ARM64e |
| Analyze sandbox operations and policy enforcement |
| Find IOKit classes, vtables, and user clients |
| Detect entitlement validation and AMFI checks |
| Find kernel symbols with pattern matching |
| Analyze Mach port operations and IPC patterns |
Android & Mobile Analysis Tools
Tool | Description |
| Find AES S-boxes, CRC tables, and crypto magic numbers |
| Find JNI methods (JNI_OnLoad, Java_*, RegisterNatives) |
| Extract URLs, hostnames, IP addresses, and API paths |
| Find API keys, tokens, passwords, and credentials |
| Compare two binaries to find added/removed/modified functions |
GUI/Context Tools
Tool | Description |
| Get current address (from GUI cursor or context tracker) |
| Get current function (from GUI cursor or context tracker) |
| Set current address context for headless workflows |
| Set current function context for headless workflows |
| Get selection range from Ghidra GUI (GUI mode only) |
| Check GUI mode connection status and context tracker state |
Tool Examples
Analyze a Windows Executable
analyze_binary
file_path: "C:\path\to\target.exe"Analyze Raw Firmware
analyze_binary
file_path: "firmware.bin"
processor: "ARM:LE:32:v7"
base_address: "0x08000000"Decompile a Function
get_function_decompile
binary_name: "target.exe"
function_name: "main"Find Functions by Pattern
find_functions
pattern: "crypt"
binary_name: "target.exe"Get Cross-References
get_function_xrefs
binary_name: "target.exe"
function_name: "main"
direction: "from"Get Call Graph
get_call_graph
binary_name: "target.exe"
function_name: "main"
depth: 3
direction: "callees"Detect Libraries
detect_libraries
binary_name: "target.exe"
detailed: trueSearch for Crypto Code
semantic_code_search
binary_name: "target.exe"
pattern: "crypto"Get Function with Full Context
get_function_with_context
binary_name: "target.exe"
function_name: "process_data"
include_callees: true
include_data_types: trueDetect Vulnerabilities
detect_vulnerabilities
binary_name: "target.exe"
severity: "high"Get Control Flow Graph
get_control_flow_graph
binary_name: "target.exe"
function_name: "main"
include_instructions: trueFind Similar Functions
find_similar_functions
binary_name: "target.exe"
function_name: "encrypt_block"
threshold: 0.7Generate Comprehensive Report
generate_report
binary_name: "target.exe"
depth: "full"Depth options: quick (metadata only), standard (+ functions/strings), full (+ decompilation), exhaustive (everything)
Detect Kernel Protections (iOS)
detect_kpp_ktrr
binary_name: "kernelcache"Analyze Mach Traps (iOS/macOS)
analyze_mach_traps
binary_name: "kernelcache"
include_handlers: trueFind PAC Gadgets (ARM64e)
find_pac_gadgets
binary_name: "kernelcache"
gadget_type: "signing"
max_results: 50Find IOKit Classes
find_iokit_classes
binary_name: "IOKit.kext"
include_vtables: true
include_user_clients: trueDetect Entitlement Checks
detect_entitlement_checks
binary_name: "amfid"
include_context: trueFind Kernel Symbols
find_kernel_symbols
binary_name: "kernelcache"
pattern: "proc_"
symbol_type: "function"Analyze Mach Ports
analyze_mach_ports
binary_name: "launchd"
include_dangerous: trueFind Crypto Constants
find_crypto_constants
binary_name: "libcrypto.so"
include_context: trueAnalyze JNI Methods
analyze_jni_methods
binary_name: "libnative.so"
include_signatures: trueExtract API Endpoints
extract_api_endpoints
binary_name: "app.so"
include_params: trueFind Hardcoded Secrets
find_hardcoded_secrets
binary_name: "libnative.so"
sensitivity: "high"Compare Binaries
compare_binaries
binary_name_a: "app_v1.so"
binary_name_b: "app_v2.so"
include_similarity: trueGet Current Address (Context-Aware)
get_current_addressReturns the current address from:
Ghidra GUI (if GUI mode enabled and connected)
Context tracker (last decompiled/analyzed address)
Get Current Function
get_current_functionReturns the current function from:
Ghidra GUI cursor position
Context tracker (last decompiled function)
Set Current Address (Headless Workflow)
set_current_address
address: "0x401000"
binary_name: "target.exe"Check GUI Status
gui_statusShows GUI mode configuration, connection status, and context tracker state.
Configuration
Environment Variables
Variable | Description | Default |
| Path to Ghidra installation | Auto-detected |
| Where Ghidra projects are stored |
|
| Where input binaries are stored |
|
| Where exports are written |
|
| Where logs are written |
|
| Analysis timeout in seconds |
|
| Decompile timeout in seconds |
|
| JVM max memory |
|
Cache Settings
Variable | Description | Default |
| Enable result caching |
|
| Cache storage location |
|
| Maximum cache size |
|
JPype Bridge Settings (Performance)
Variable | Description | Default |
| Enable fast JPype bridge |
|
| Keep programs loaded in memory |
|
| Max programs to cache |
|
GUI Mode Settings
Variable | Description | Default |
| Enable GUI mode (connect to running Ghidra) |
|
| Host for ghidra_bridge connection |
|
| Port for ghidra_bridge connection |
|
| Timeout for GUI bridge operations (seconds) |
|
Enabling GUI Mode
GUI mode allows Kawaiidra to connect to a running Ghidra GUI instance, enabling real-time access to cursor position and selection. This is useful for interactive analysis workflows.
Setup Steps:
Enable GUI mode:
# Windows set KAWAIIDRA_GUI_MODE=true # Linux/macOS export KAWAIIDRA_GUI_MODE=trueInstall ghidra_bridge (optional dependency):
pip install ghidra_bridgeInstall the bridge server in Ghidra:
python -m ghidra_bridge.install_server ~/ghidra_scriptsStart the bridge server in Ghidra:
In Ghidra:
Tools > Ghidra Bridge > Run in BackgroundOr run the script manually from Script Manager
Verify connection:
gui_status
Note: Even without GUI mode enabled, context tracking works in headless mode. The get_current_address and get_current_function tools automatically track context from your tool operations (e.g., last decompiled function becomes the current function).
Testing
Kawaiidra includes a comprehensive test suite with 166 tests covering all major modules:
# Run all tests
uv run pytest tests/ -v
# Run specific test file
uv run pytest tests/test_cache.py -vTest File | Tests | Coverage |
| 57 | Cache operations, TTL, LRU eviction |
| 30 | Ghidra index parsing, regex patterns |
| 26 | Configuration, env vars, path detection |
| 22 | Tool definitions, schemas, utilities |
| 22 | MCP handler integration |
| 17 | Bridge availability, backend operations |
Directory Structure
kawaiidra-mcp/
├── .mcp.json # MCP server configuration
├── README.md # This file
├── requirements.txt # Python dependencies
├── run_server.py # Server entry point
├── src/
│ └── kawaiidra_mcp/
│ ├── server.py # MCP server implementation
│ ├── config.py # Configuration management
│ ├── cache.py # Result caching system
│ ├── bridge/ # JPype bridge for fast execution
│ │ ├── __init__.py
│ │ ├── jpype_bridge.py # JVM lifecycle & Ghidra API
│ │ └── backend.py # High-level backend abstraction
│ └── scripts/ # Ghidra headless scripts (fallback)
├── tests/ # Unit test suite (166 tests)
├── projects/ # Ghidra project storage (gitignored)
├── binaries/ # Input binaries (gitignored)
├── exports/ # Exported analysis (gitignored)
└── logs/ # Runtime logs (gitignored)Supported Binary Formats
Format | Extensions | Auto-detected |
PE (Windows) | .exe, .dll, .sys | Yes |
ELF (Linux) | .so, .o, (none) | Yes |
Mach-O (macOS) | .dylib, (none) | Yes |
Raw Binary | .bin, .fw | No (specify processor) |
Common Processor IDs
For raw binaries, specify the processor manually:
Architecture | Processor ID |
x86 32-bit |
|
x86 64-bit (AMD64) |
|
ARM 32-bit |
|
ARM 64-bit (AArch64) |
|
MIPS 32-bit BE |
|
MIPS 32-bit LE |
|
PowerPC 32-bit |
|
RISC-V 32-bit |
|
Troubleshooting
"Ghidra not found"
Ensure GHIDRA_INSTALL_DIR points to a valid Ghidra installation with support/analyzeHeadless script.
"MCP SDK not installed"
pip install mcpAnalysis Times Out
Increase timeout with environment variable:
# Windows
set KAWAIIDRA_TIMEOUT=600
# Linux/macOS
export KAWAIIDRA_TIMEOUT=600Large Binary Memory Issues
Increase JVM memory:
set KAWAIIDRA_MAX_MEMORY=8GFunction Not Found
Ensure the binary has been analyzed first with
analyze_binaryTry using the function's address instead of name (e.g.,
0x401000)Check if the function is in a different binary in the project
JPype Bridge Not Starting
Check bridge status:
bridge_statusIf bridge shows as unavailable:
Install JPype:
pip install JPype1Install Java JDK 17+:
# macOS brew install openjdk@17 # Ubuntu/Debian sudo apt install openjdk-17-jdkVerify Java is in PATH:
java -versionCheck JAVA_HOME (if needed):
export JAVA_HOME=/path/to/jdk
The server automatically falls back to subprocess mode if JPype is unavailable.
Bridge Mode Slower Than Expected
First call per binary takes 2-5s (program loading)
Subsequent calls should be ~1-50ms
Use
bridge_statusto verify bridge is activeCheck
KAWAIIDRA_BRIDGE_CACHE_PROGRAMS=trueis set
Analysis Reports
Binary analysis reports generated using Kawaiidra MCP can be stored in the md/ folder. See md/README.md for report structure guidelines.
Why "Kawaiidra"?
Because reverse engineering should be fun! This is a cute wrapper around serious tools.
Kawaii (Japanese: cute) + Ghidra = Kawaiidra
License
MIT License
See Also
Ghidra - NSA's reverse engineering framework
Model Context Protocol - MCP specification
Claude Code - AI coding assistant
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wagonbomb/kawaiidra-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server