github starsong-consulting/GhydraMCP v3.0.0-rc.1
Release v3.0.0-rc.1
on GitHub

pre-release9 hours ago

Changed

  • Breaking: fully-qualified symbol names. Functions, symbols, data labels, variables, and xrefs now use the fully-qualified name (namespace path, e.g. FOM::SharedMemory::ReadUInt; global-namespace members are unprefixed) for lookup, filtering, and output. GET /functions/by-name/{fqn} takes a URL-encoded FQN; a bare name resolves in the global namespace only. Renaming a function, data label, or symbol to an A::B::name value moves it into that namespace (created if absent); a leading :: or Global:: moves it to the global namespace. The separate namespace field is removed from function and symbol responses (folded into the FQN name). Local variable names stay bare and reject ::. API_VERSION bumped to 3000. Reimplemented from PR #18 against the Javalin layer. (#18)

Added

  • analysis link on /program: the program resource now advertises an analysis link (to /analysis/status) for HATEOAS discoverability.
  • Run Ghidra scripts via the API: GET /scripts (list) and POST /scripts/run (run an existing script by name, or compile and run ad-hoc GhidraScript source, with args), plus scripts_list/scripts_run bridge tools and ghydra scripts list/run. Captures the script's output. Lets an agent do multi-stage/batch work (mass rename, signature transfer) in one call. Arbitrary code execution, so it is disabled unless the server is started with -Dghydra.dev.allowScripts=true (or GHYDRA_ALLOW_SCRIPTS=1). (#3)
  • Scalar search: find constant values in instructions (GET /scalars, scalars_search bridge tool, ghydra scalars search), like Ghidra's "Search For Scalars". Filter by containing function (in_function) or by a nearby called function (to_function, e.g. the 0 passed to memset). The in_function filter scans only the matching functions; unfiltered scans on large programs are time-bounded and report scanTruncated. Reimplemented from PR #17 against the Javalin layer. (#17)
  • Save endpoint: POST /program/save persists the current program to the project (?all=true saves every open program with unsaved changes).
  • Dev-only shutdown endpoint: POST /dev/shutdown quits Ghidra so the build/deploy/restart loop can be automated. Off by default; enable with -Dghydra.dev.allowShutdown=true or GHYDRA_DEV_SHUTDOWN=1. With unsaved changes it refuses (409) unless ?save=true (save, then exit) or ?force=true (discard, then exit).

Fixed

  • HATEOAS links: templated links with a single string argument (an address or name) emitted a literal {} href with the value misplaced into a method field; they now substitute correctly across all endpoints. Action links use a new linkWithMethod.
  • Disassembly truncation: the bridge text output now reports the total instruction count and the next offset when a function's disassembly is paginated, instead of silently showing the first 100. functions_disassemble no longer documents limit=0 as "all".
  • Agent-clean CLI output: color is auto-disabled when stdout is not a terminal (and honors NO_COLOR), so piped or captured ghydra output no longer carries ANSI codes that corrupted hex-address parsing.
Check out latest releases or
releases around starsong-consulting/GhydraMCP v3.0.0-rc.1

Don't miss a new GhydraMCP release

NewReleases is sending notifications on new releases.

Get notifications