headless-ghidra-evidence
Headless Ghidra Third-Party — P2
P2 reviews baseline and runtime YAML to identify third-party libraries, record
local pristine source directories, and classify functions for later metadata
enrichment. Source download or acquisition is outside the CLI; the CLI records
source_path, pristine_path, version, confidence, and evidence.
Required ghidra-agent-cli Commands
ghidra-agent-cli functions listghidra-agent-cli functions showghidra-agent-cli imports listghidra-agent-cli constants listghidra-agent-cli strings listghidra-agent-cli vtables listghidra-agent-cli types listghidra-agent-cli callgraph listghidra-agent-cli callgraph callersghidra-agent-cli callgraph calleesghidra-agent-cli third-party addghidra-agent-cli third-party noneghidra-agent-cli third-party set-versionghidra-agent-cli third-party listghidra-agent-cli third-party classify-functionghidra-agent-cli third-party vendor-pristineghidra-agent-cli execution-log appendghidra-agent-cli gate check --phase P2
Inputs
artifacts/<target-id>/baseline/functions.yamlartifacts/<target-id>/baseline/callgraph.yamlartifacts/<target-id>/baseline/types.yamlartifacts/<target-id>/baseline/constants.yamlartifacts/<target-id>/baseline/vtables.yamlartifacts/<target-id>/baseline/strings.yamlartifacts/<target-id>/baseline/imports.yamlartifacts/<target-id>/runtime/run-manifest.yamlartifacts/<target-id>/runtime/hotpaths/call-chain.yaml- Existing
artifacts/<target-id>/third-party/identified.yamlif present
Outputs
artifacts/<target-id>/third-party/identified.yamlartifacts/<target-id>/third-party/pristine/<library>@<version>/- Optional local adaptation changes under
artifacts/<target-id>/third-party/compat/<library>@<version>/
Exit Expectations
identified.yamlrecords at least one medium-or-higher confidence library when third-party code is present.identified.yamlrecordslibraries: []when review finds no third-party code.- Each recorded third-party library has a local
source_pathand a pristine directory underthird-party/pristine/. - Pristine source directories are kept unmodified; local adaptation edits live
under
third-party/compat/. - The next phase has enough version and function-classification evidence to recover names, signatures, and types.
Constraints
- Do not mutate baseline YAML exports directly.
- Do not claim unsupported evidence without recording the supporting source.
- Do not bypass
ghidra-agent-clifor supported baseline reads, third-party writes, or execution logging. - Do not create or run a new Ghidra script if the CLI lacks a capability; pause and ask the user first.
Next Step
- P2 gate passes →
headless-ghidra-discovery
More from bytelandtechnology/headless-ghidra
headless-ghidra
Entry skill for the Headless Ghidra YAML-first reverse-engineering pipeline. Use when the user asks to analyze, decompile, triage, resume, or iterate on a binary target with Ghidra/headless-ghidra. Reads artifacts/<target>/pipeline-state.yaml, routes P0–P4 phase skills, runs gate checks, and manages review pauses. Performs zero analysis work itself.
36headless-ghidra-intake
P0 phase skill for Headless Ghidra intake. Use when a target binary/archive needs identity confirmation, workspace initialization, Ghidra discovery, binary inspection, or analysis scope setup before any Ghidra analysis runs.
35headless-ghidra-batch-decompile
P4 phase skill for Headless Ghidra selected function substitution. Use after P3 when an approved batch of functions should have metadata applied, be decompiled through Ghidra, and be recorded as per-function capture/substitution YAML.
33headless-ghidra-baseline
P1 phase skill for Headless Ghidra baseline and runtime evidence. Use after P0 when the target must be imported into Ghidra, auto-analyzed, exported to baseline YAML, and given reproducible runtime or hotpath observations without decompiling function bodies.
30headless-ghidra-discovery
P3 phase skill for Headless Ghidra metadata discovery. Use after P2, or after a P4 batch exposes missing context, to enrich function names, signatures, types, constants, strings, and hotpath metadata in YAML before serialized CLI apply.
30headless-ghidra-frida-verify
Deprecated compatibility-only P6 alias: runtime observation is now part of P1/P4 hand-offs.
27