headless-ghidra-batch-decompile
Headless Ghidra Function Substitution — P4
P4 consumes the current selected batch, applies enriched metadata, runs the approved Ghidra decompilation path, and records per-function substitution artifacts.
Required ghidra-agent-cli Commands
ghidra-agent-cli ghidra apply-renamesghidra-agent-cli ghidra verify-renamesghidra-agent-cli ghidra apply-signaturesghidra-agent-cli ghidra verify-signaturesghidra-agent-cli ghidra decompileghidra-agent-cli ghidra rebuild-projectghidra-agent-cli substitute addghidra-agent-cli substitute validateghidra-agent-cli gate check --phase P4
Locking and Ghidra invocation are handled internally by the CLI.
The public workflow surface is the CLI plus the YAML outputs below.
When substitution/next-batch.yaml is ready, process only functions with
clear P3 names and signatures.
Inputs
artifacts/<target-id>/baseline/*.yamlartifacts/<target-id>/runtime/fixtures/artifacts/<target-id>/runtime/hotpaths/call-chain.yamlartifacts/<target-id>/third-party/identified.yamlartifacts/<target-id>/third-party/pristine/<library>@<version>/artifacts/<target-id>/third-party/compat/<library>@<version>/if neededartifacts/<target-id>/metadata/renames.yamlartifacts/<target-id>/metadata/signatures.yamlartifacts/<target-id>/substitution/next-batch.yaml
Outputs
artifacts/<target-id>/substitution/functions/<fn_id>/capture.yamlartifacts/<target-id>/substitution/functions/<fn_id>/substitution.yaml- Additional per-function YAML such as blocked, injected, or follow-up records when the workflow records them
Exit Expectations
- Function-level I/O fixtures and capture YAML are recorded before coding a substitute.
- Each substituted function has a
substitution.yamlwith provenance, fixtures, and status. - P4 gate material is available under
substitution/functions/<fn_id>/.
Constraints
- Use Ghidra as the only decompilation backend.
- Acquire the Ghidra queue/lock before mutating or reading shared Ghidra state when the backend requires it.
- Do not modify artifacts for functions outside the active batch.
- Do not bypass
ghidra-agent-clifor supported apply/verify/decompile, substitution, fixture, or gate actions. - Do not modify pristine third-party source; place local adaptation changes under
third-party/compat/. - Do not create or run a new Ghidra script if the CLI lacks a capability; pause and ask the user first.
Next Step
- P4 gate passes for the batch → return to P3 for another round or finish.
More from bytelandtechnology/headless-ghidra
headless-ghidra
Entry skill for the Headless Ghidra YAML-first reverse-engineering pipeline. Use when the user asks to analyze, decompile, triage, resume, or iterate on a binary target with Ghidra/headless-ghidra. Reads artifacts/<target>/pipeline-state.yaml, routes P0–P4 phase skills, runs gate checks, and manages review pauses. Performs zero analysis work itself.
36headless-ghidra-intake
P0 phase skill for Headless Ghidra intake. Use when a target binary/archive needs identity confirmation, workspace initialization, Ghidra discovery, binary inspection, or analysis scope setup before any Ghidra analysis runs.
35headless-ghidra-evidence
P2 phase skill for Headless Ghidra third-party evidence. Use after P1 to review baseline/runtime artifacts, identify or rule out third-party code, record pristine sources, classify functions, and capture evidence before metadata recovery.
35headless-ghidra-baseline
P1 phase skill for Headless Ghidra baseline and runtime evidence. Use after P0 when the target must be imported into Ghidra, auto-analyzed, exported to baseline YAML, and given reproducible runtime or hotpath observations without decompiling function bodies.
30headless-ghidra-discovery
P3 phase skill for Headless Ghidra metadata discovery. Use after P2, or after a P4 batch exposes missing context, to enrich function names, signatures, types, constants, strings, and hotpath metadata in YAML before serialized CLI apply.
30headless-ghidra-frida-verify
Deprecated compatibility-only P6 alias: runtime observation is now part of P1/P4 hand-offs.
27