NSA’s Research Directorate released version 11.3 of Ghidra, an open-source software reverse engineering (SRE) framework. It offers advanced analysis tools, enabling users to dissect and examine compiled code across multiple platforms, including Windows, macOS, and Linux.
Ghidra 11.3 is fully backward compatible with project data from previous versions. However, programs and data type archives created or modified in 11.3 will not be compatible with earlier versions of Ghidra.
Visual Studio Code
Ghidra 11.3 replaces the VSCodeProjectScript.java GhidraScript (introduced in 11.2) with two new actions in the CodeBrowser tool:
- Tools → Create VSCode Module Project… – Sets up a Visual Studio Code project folder with a skeleton module for Ghidra extension development (Plugins, Analyzers, Loaders, etc.), including launchers for debugging and a Gradle task for exporting as a Ghidra extension.
- Edit Script with Visual Studio Code (in Script Manager) – Opens a selected script in a VS Code workspace created automatically in Ghidra’s user settings directory, offering a modern alternative to Eclipse with features like autocomplete and navigation.
Ghidra attempts to locate your VS Code installation automatically, but if needed, you can configure it via Edit → Tool Options → Visual Studio Code Integration.
PyGhidra
The PyGhidra Python library, initially developed by the Department of Defense Cyber Crime Center (DC3) as Pyhidra, enables direct access to the Ghidra API within a native CPython 3 interpreter via JPype. It offers convenient tools for setting up analysis on a given sample and executing Ghidra scripts locally. Additionally, PyGhidra includes a Ghidra plugin that integrates CPython 3 support directly into the Ghidra GUI.
Emulator
The new Ghidra release introduces a just-in-time (JIT) accelerated p-code emulator, designed to enhance performance for dynamic analysis. While not yet integrated into the UI, the JitPcodeEmulator is available for scripting and plugin development as a near drop-in replacement for the existing PcodeEmulator. This feature improves emulation speed, making it a valuable tool for advanced users looking to analyze and execute code more efficiently. However, as this is an early implementation, developers should expect potential bugs and refer to the Javadoc for usage and integration details.
Debugger
Ghidra 11.3 streamlines its debugging infrastructure by removing the legacy IN-VM and GADP launchers and connectors, replacing them with the TraceRmi-based implementations. Alongside this cleanup, the supporting code and API for these older connectors have also been eliminated.
Additionally, the release marks a step forward in kernel-level debugging capabilities – Ghidra’s lldb connector now supports macOS kernel debugging, while the dbgeng connector can debug a Windows kernel running in a VM via eXDI, expanding Ghidra’s utility for low-level system analysis.
Function Graph
The new version brings several enhancements to the Function Graph, making code navigation and visualization more efficient. A new “Flow Chart” layout option improves the organization of function structures, offering an alternative way to analyze control flow. Users can now customize the satellite view position, allowing for a more flexible workspace. A new shortcut (Ctrl + Space) enables quick toggling between the Listing View and the Function Graph, with an option to start either fully zoomed in or out, providing a smoother and more intuitive workflow for reverse engineering.
Source file information
Ghidra 11.3 enhances source code mapping by allowing source file and line information to be integrated using a Program’s SourceFileManager. The DWARF, PDB, and Go analyzers now automatically record this data, and users can also add source information programmatically, with example scripts available in the SourceMapping script category. This information can be viewed in the “Source Map” Listing Field or through the SourceFilesTablePlugin, accessible via Window → Source Files and Transforms in the Code Browser.
The new “View Source…” action lets users open source files at the correct line in Eclipse or Visual Studio Code, configurable through the “Source Files and Transforms” tool option. The SourceFilesTablePlugin also allows users to modify stored source file paths before launching them in their preferred editor, improving the workflow for debugging and reverse engineering.
Processors
The new release improves x86 AVX-512 support by implementing EVEX instruction write and read masking, ensuring accurate semantics for these instructions. TI_MSP430 decompilation sees enhancements through updates to the processor’s compiler specifications, improving analysis accuracy. Additionally, ARM VFPv2 instruction handling has been corrected, resolving prior disassembly issues.
String translation and text search
Ghidra 11.3 expands string translation support with a new LibreTranslate option, allowing users to leverage a self-hosted translation service for increased privacy. This plugin is disabled by default and can be enabled via File → Configure. Additionally, Ghidra now supports full-text search across all decompiled functions, dynamically incorporating the latest decompilation results. This feature, accessible via Search → Decompiled Text…, enhances code analysis but may take time depending on the binary’s complexity.
Ghidra 11.3 is available on GitHub.
Must read: