┌─────────────────────────────────────────────────────────────┐
│ Web Dashboard (React) │
│ - Binary Explorer - AI Chat - Results Viewer │
└────────────────────────┬────────────────────────────────────┘
│ HTTP/WebSocket
▼
┌─────────────────────────────────────────────────────────────┐
│ Python MCP Bridge & REST API │
│ - HTTP Server - WebSocket - SSE - Client SDK │
└────────────────────────┬────────────────────────────────────┘
│ RPC/REST
▼
┌─────────────────────────────────────────────────────────────┐
│ Java Ghidra Plugin (Analysis Engine) │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Crypto │ │ Taint │ │ Vuln. │ │ Control │ │
│ │ Detector │ │ Analyzer │ │Detector │ │ Flow │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Ghidra Core (Decompilation, CFG, etc.) │ │
│ └────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────┘
▲
│ Binary File
│
[User's Binary File]
Location: web-dashboard/
Components:
BinaryExplorer: File upload and selectionAnalysisPanel: Real-time analysis statusChatInterface: AI-powered query systemFunctionViewer: Function decompilation browserVulnerabilityList: Issue display with CVSS
Tech Stack:
- React 18+
- TypeScript
- Vite (bundler)
- Axios (HTTP client)
- Zustand (state management)
Features:
- Drag-and-drop binary upload
- Real-time analysis streaming
- Interactive function graphs
- Syntax-highlighted decompilation
- Responsive dark theme
Location: python-mcp/
Modules:
mcp/: MCP server implementationserver.py: Main servertransports.py: WebSocket, SSE, HTTPhandlers.py: Request processing
cli/: Command-line toolsserver.py: Server startupanalyze.py: Batch analysisquery.py: Interactive queries
core/: Core client SDKclient.py: Python clientmodels.py: Data structures
auth/: Authenticationjwt.py: JWT handlingoauth.py: OAuth2 supportapi_key.py: API key management
Features:
- Multi-transport support
- Async/await throughout
- Type hints (mypy compatible)
- Comprehensive error handling
- Rate limiting built-in
Transport Support:
WebSocket: ws://localhost:8001
SSE: http://localhost:8002/events
HTTP: http://localhost:8000/api
Location: ghidra-plugin/
Modules:
core/:GhidraInsightCore.java: DI container & service coordinatorGhidraInsightModule.java: Guice configurationservice/: Service interfaces & implementationsAnalysisService: Main analysis orchestrationVulnerabilityDetector: Vuln detectionSymbolManager: Symbol resolution
analysis/: Analysis enginesCryptoDetector: Crypto algorithm detectionTaintAnalyzer: Data flow trackingControlFlowAnalyzer: CFG anomaly detectionVulnerabilityAnalyzer: CVE/CWE mapping
mcp/:MCPServer.java: MCP serverRestServer.java: REST API endpointsWebSocketServer.java: WebSocket transport
util/:AddressResolver: Symbol & function lookupConfiguration: Settings management
Architecture Pattern: Service-Oriented
- Loose coupling via interfaces
- Dependency injection (Guice)
- Stateless stateless analysis functions
- Exception handling wrappers
Key Dependencies:
- Ghidra SDK (11.x)
- Jackson (JSON)
- Spark (REST API)
- Guice (DI)
- Log4j (Logging)
User Upload
↓
[Web Dashboard] ──POST──→ [Python MCP]
↓ ↓
Validate & Prepare
↓
[Java Plugin]
(GhidraInsightCore)
↓
┌─────┴─────┬──────┐
↓ ↓ ↓
CryptoDetector TaintAnalyzer VulnDetector
↓ ↓ ↓
(Ghidra API Analysis)
↓ ↓ ↓
└─────┬─────┴──────┘
↓
Format & Return Results
↓
[Python MCP] ──JSON→ [Dashboard]
↓
Display & Cache
User Question
↓
[Web Dashboard] ──Query──→ [Python MCP]
↓ ↓
1. Retrieve analysis results
2. Build context
↓
[LLM API] (e.g., Claude)
↓
3. Stream response back
↓
[Web Dashboard] ──Stream──→ Display
- Transport: HTTP/HTTPS
- Format: JSON
- Auth: JWT or API Key
- Rate Limit: 60 req/min
- Endpoints:
/api/*
- Transport: ws/wss
- Format: JSON
- Upgrade: From HTTP
- Use Case: Real-time updates
- Port: 8001
- Transport: HTTP (long-polling)
- Format: JSON events
- One-way: Server → Client
- Use Case: Analysis updates
- Port: 8002
- Format: JSON-RPC 2.0
- Resources: Tool definitions
- Implements: Anthropic MCP spec
- Use Case: LLM integration
// Guice module binding
public class GhidraInsightModule extends AbstractModule {
@Override
protected void configure() {
bind(AnalysisService.class).to(AnalysisServiceImpl.class);
bind(CryptoDetector.class).to(CryptoDetectorImpl.class);
bind(TaintAnalyzer.class).to(TaintAnalyzerImpl.class);
bind(VulnerabilityDetector.class)
.to(VulnerabilityDetectorImpl.class);
}
}
// Usage
Injector injector = Guice.createInjector(new GhidraInsightModule());
AnalysisService service = injector.getInstance(AnalysisService.class);Benefits:
- Testable (mock dependencies)
- Extensible (add new implementations)
- Decoupled (interfaces only)
- Async/await:
asyncio - Thread pool: For blocking I/O
- Worker queue: For long analysis
- Thread pool: Executors
- Request threads: Per connection
- Analysis threads: CPU-bound work
- Scheduler: Background tasks
- Stateless analysis (no session state)
- Shared cache layer (Redis-ready)
- Load balancer compatible
- Database-agnostic
- Configurable heap/stack
- Batch size tuning
- Cache sizing
- Thread pool optimization
- Per-IP tracking
- Per-user quotas
- Burst allowance
- Token bucket algorithm
- Create analyzer class:
public interface CustomAnalyzer {
JsonNode analyze(Program program);
}
public class CustomAnalyzerImpl implements CustomAnalyzer {
@Override
public JsonNode analyze(Program program) {
// Analysis logic
}
}- Register in Guice:
bind(CustomAnalyzer.class).to(CustomAnalyzerImpl.class);- Integrate into AnalysisService:
@Inject CustomAnalyzer customAnalyzer;
public JsonNode analyze(...) {
result.set("custom", customAnalyzer.analyze(program));
}| Operation | Target | Notes |
|---|---|---|
| Binary upload | < 2s | Network + parsing |
| Crypto detection | < 5s | Pattern matching |
| Taint analysis | < 30s | Graph traversal |
| Function analysis | < 1s | Per function |
| API response | < 500ms | Excluding analysis |
For detailed implementation, see component READMEs in each directory.