DEV Community: sumeshi_kun

Driving Ghidra Static Analysis with Local LLMs (LM Studio + GhidraMCP Setup)

sumeshi_kun — Mon, 18 Aug 2025 13:50:10 +0000

Overview

I wanted to connect the Ghidra static analysis tool to a local LLM.
Since I prefer not to run the analysis environment directly on the host OS, I set up a dedicated VM for Ghidra and kept only the MCP host (LM Studio) on the host machine.

Here’s the rough architecture:

Environment

A machine with mid-range specs, good enough to run fairly recent games. You can build it for around \$800–900 USD.

CPU: 12th Gen Intel Core i5-12400F
GPU: NVIDIA GeForce RTX 3060
RAM: 32GB

Preparation Steps

Install VMware Workstation on the host OS.
Set up a Windows VM (the analysis environment).
Install JDK in the VM (required for Ghidra).
Install Python 3.x in the VM (for GhidraMCP).
Inside the VM, run pip install mcp requests.
Open TCP/8081 in the VM’s Windows Firewall.
Configure the VM’s network to Host-only mode.

Setting Up the Guest OS

Download GhidraMCP

Download the latest release. I used GhidraMCP 1.4:
https://github.com/LaurieWired/GhidraMCP/releases

The release notes state:

Add support for Ghidra 11.3.2

So make sure the Ghidra version matches. Unzip after downloading.

Download Ghidra

Get version 11.3.2 here:
https://github.com/NationalSecurityAgency/ghidra/releases

Unzip it as well.

Install the GhidraMCP Extension

Follow the instructions in the README:
https://github.com/LaurieWired/GhidraMCP/releases

Run Ghidra
Go to File → Install Extensions
Click + and select the GhidraMCP-1-2.zip (or whichever version you use)
Restart Ghidra
Enable GhidraMCPPlugin at File → Configure → Developer
(Optional) Configure port settings at Edit → Tool Options → GhidraMCP HTTP Server

Run `bridge_mcp_ghidra.py`

Open Command Prompt in the folder containing the script:

python bridge_mcp_ghidra.py --transport sse --mcp-host 0.0.0.0 --mcp-port 8081 --ghidra-server http://127.0.0.1:8080/

Sample output:

Connecting to Ghidra server at http://127.0.0.1:8080/
Starting MCP server on http://0.0.0.0:8081/sse
Using transport: sse
INFO: Started server process [7908]
INFO: Waiting for application startup.
INFO: Application startup complete.

Preparing the Host OS

Install LM Studio: https://lmstudio.ai/
Setup is straightforward—just follow the installer.

LM Studio is now free for commercial use, which is a nice bonus.
It suggested gpt-oss-20b, so I installed that model.

Edit `mcp.json`

Open Edit mcp.json from the sidebar and configure it like this (replace with your VM’s IP from ipconfig):

{
  "mcpServers": {
    "ghidra": {
      "url": "http://192.168.xxx.xxx:8081/sse"
    }
  }
}

After saving, enable GhidraMCP in LM Studio.
If successful, the tool list will appear like this:

If it fails, check host ↔ guest connectivity and firewall settings.

Analysis

Inside the Analysis VM

I compiled a simple Hello World program with tcc to generate an EXE:

#include <stdio.h>

int main(int argc, char** argv){
    printf("Hello World.\n");
    return 0;
}

Import it into Ghidra as usual. A Non-Shared Project works fine.

On the LM Studio Side

Since MCP is configured, I tried sending some basic queries:

Approve tool usage when prompted. Example interaction:

How does this binary look?
openai/gpt-oss-20b

list_strings
mcp/ghidra

list_functions
mcp/ghidra

Binary summary

Entry point: 00401038
Output string: "Hello World.\n"
DLLs used: msvcrt.dll → printf, exit, etc.
Main function: FUN_00401000 (calls printf)

Behavior
Starts at entry point (00401038), calls FUN_00401000,
prints "Hello World.\n", then exits.

Conclusion
A simple sample program. No malicious behavior detected.
Useful for learning/demo purposes but not an actual attack sample.

The results were surprisingly solid.

Closing Thoughts

The setup was easy, and I was impressed by how capable a local LLM can be when integrated with Ghidra.
I’ve heard MacBook Pro runs this blazing fast—I’m tempted to pick one up.

That’s it!

Original Post(Japanese): https://zenn.dev/sum3sh1/articles/96be8503049432

How to Boot Windows from .E01 (EWF) Disk Images with Arsenal Image Mounter

sumeshi_kun — Sat, 30 Nov 2024 06:16:24 +0000

Overview

When performing disk forensics, I think it's often the case that the target disk is handled in .E01 format.

Since it is somewhat compressed, the size becomes smaller, and it is easier to handle, so it has become the de facto standard in this industry. (Although I feel that there are many tools that do not support it.)

Basically, I proceed with the analysis by collecting artifacts from this .E01 format file, but depending on the situation, there are times when I want to boot the OS and directly tinker with it.

For example, when I want to actually run malware on the investigation target environment and observe its behavior, or when I want to run investigation tools (like Autoruns).

I haven't tested it, but I think this method will generally work even if it's not an .E01 file.

For details, read the "Disk Image Support" section at the link below.

https://arsenalrecon.com/arsenal-image-mounter-aim-walkthrough

There are paid tools specialized for such purposes, like VFC, but it is also possible to handle it by using the Free version of Arsenal Image Mounter, which is provided by Arsenal Recon. In addition, with the Professional version, it seems that mechanisms that allow you to start virtual disks more easily are available.

Operating Environment

VMware Workstation Pro 17.5.2

Arsenal Image Mounter 3.11.293

Procedure

Mounting the Disk

After starting Arsenal Image Mounter, click Mount Disk Image at the bottom left and select the .E01 file you want to boot.

You will be asked various things, but select Disk device, write temporary at the top.

Also, select Specify alternate differencing file location and save it in an appropriate place.

By doing this, you can make changes without modifying the original E01 file, and extract the differences as a separate file.

Next, select Advanced > Offline Disk from the top toolbar.

Then, I think the Online/Offline column has become Offline.

With this, you have mounted the .E01 file as a physical disk.

Booting with VMware Workstation

When starting VMware Workstation, be sure to run it as administrator.

Otherwise, the disk mounting will fail.

Create a new VM and select Custom (advanced).

Basically, you can just keep clicking Next, but I will note some points to be careful about.

For Firmware Type, it depends on the settings of the .E01 file, so choose one intuitively.

If it doesn't boot, try changing the settings later.

For Network Connection, be sure to select Do not use a network connection.

Otherwise, as soon as it boots, malware communications might go somewhere and cause a big problem.

It's common (really) for incident responders to cause incidents themselves, so please be careful. When you gaze into the incident, the incident gazes into you.

In Select a Disk, check Use a physical disk and select the mounted .E01.

If you don't know the disk number, check with diskpart or Disk Management.

So, after creating the VM and clicking the start button, it worked.

You can either unlock the password with effort, or politely ask the original owner.

Conclusion

Arsenal Image Mounter is a very useful tool.

In particular, being able to write-mount without modifying the original file is wonderful, and it's handy when you want to run antivirus software, so I think it's worth having one in every household.

This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/08fe13c70d5b24

Reference Sites

https://www.reddit.com/r/computerforensics/comments/u80g7c/no_boot_after_conversion_of_e01/

Disk Preservation and Imaging with Paladin Linux

sumeshi_kun — Sat, 30 Nov 2024 05:52:47 +0000

Overview

Paladin is a Linux distribution developed for forensic purposes.

There are two versions: Paladin LTS and Paladin Edge. As the name suggests, LTS stands for Long-Term Support. Edge is lighter and also offers a 32-bit version, so it might be more suitable for preservation tasks.

https://sumuri.com/software/paladin/

Importantly, if you use Paladin LTS for commercial purposes, it is paid (requires a donation of 25 USD or more).

Edge doesn't specify such restrictions, but if you can afford it, consider donating.

In this article, I will cover how to preserve disk images of devices under forensic investigation using Paladin.

I have also previously covered preservation using C.A.IN.E. and Tsurugi.

Paladin is also an Ubuntu-based OS. The wallpaper is cool.

Launch

In this article, I will use Paladin LTS 8.05.

After downloading, make sure to check the hash value.

› certutil -hashfile carbon-paladin-8.05.iso sha1
SHA1 hash of carbon-paladin-8.05.iso:
cb0de1883ac5ecb6165e2e96b8fd18bed9a159a8
CertUtil: -hashfile command completed successfully.

Preservation Procedure

In this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the disk image to be preserved.

Preparation

First, adjust the time zone to match your local region. Also, make sure to record the actions taken and their timestamps during preservation. For detailed procedures and precautions, it is good to follow the guidelines of trusted organizations.

Mounting the Disk

In Paladin, you can perform a series of operations using an integrated tool called Paladin Toolbox.

It seems you can not only perform simple partitioning and imaging but also convert images and perform carving. Amazing!

Connect a disk larger than the preservation target (100GB), format it, and mount it. You can do it by simply clicking buttons. You don't need to mount the preservation target.

Preservation

The preservation target is /dev/sdb, and the destination is /dev/sda1.

Click Imager in the side menu to set the image type and other settings. There are five formats available, which is quite a lot.

dd(RAW), EWF(E01), EWF2(Ex01), SMART(S01), DMG(dmg)

For E01, you can choose from three compression levels, which is easy to understand.

None, Fast, Best

Once you've made your selections, click Start.

When it's finished, the log is displayed.

Confirmation

When the preservation is complete, you can confirm that the .E01 file and various logs are preserved on the specified disk.

By looking at paladin.complete.log, you can see that the hash values of the image are recorded.

It seems that MD5 and SHA1 are calculated by default.

Paladin is also properly listed in the CFTT, and the test results are published.

https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical/disk

Conclusion

By using Paladin, I was able to preserve the disk entirely through a GUI.

Compared to Tsurugi Linux and C.A.IN.E., having an integrated tool might be suitable for beginners or for standardized tasks.

I had the impression that macOS forensic researchers often use it, but I had never touched this OS before. Using it, it seems capable of various things, which is interesting.

They also sell various commercial tools and devices, so if you are in a department that can allocate a budget, it might be one of the good options.

This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/04f8f0265e8807

Disk Preservation and Imaging with Tsurugi Linux

sumeshi_kun — Sat, 30 Nov 2024 05:44:49 +0000

Overview

Tsurugi Linux is a Linux distribution tailored for forensic purposes.

There are two editions: Tsurugi Acquire (a lightweight edition for preservation) and Tsurugi Linux LAB.

https://tsurugi-linux.org/

In this article, I will cover how to preserve disk images of devices under forensic investigation using Tsurugi.

In separate articles, I have also covered preservation using C.A.IN.E. and Paladin.

Like C.A.IN.E. and Paladin, Tsurugi is also an Ubuntu-based OS.

Launch

In this article, I will use Tsurugi Acquire 2021.1.

After downloading, make sure to check the hash value:

› certutil -hashfile tsurugi_acquire_2021.1.iso sha512
SHA512 hash of tsurugi_acquire_2021.1.iso:
bd5488e9e75bbcbc6560d166031e84c70bf19c1b9db6f872df99212fef110296c3e7735e39bdee533aaaa92a64e1096fb674b1d45dd4c88cde280442737d77fe 
CertUtil: -hashfile command completed successfully.

Preservation Procedure

In this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the disk image to be preserved.

Preparation

First, adjust the time zone to match your local region. Also, for detailed procedures and precautions, it is good to follow the guidelines of trusted organizations.

Mounting the Disk

In Tsurugi Acquire, all devices are set to readonly by default.

You can open Tsurugi Device Unlocker on the desktop and press the Unlock button to make the target device writable.

Note that once you unlock a device, it seems you cannot revert it back to readonly.

Let's also prepare the disk where the preservation image will be saved.

Prepare a disk larger than the preservation image (100GB), Unlock it, and perform partitioning and formatting.

In the screenshot, I used commands, but Gparted is included, so you can use that instead.

If you click Advanced in Tsurugi Device Unlocker, you can configure settings for each partition.

Preservation

Use Guymager to perform the image preservation. Here, the preservation target is /dev/sdb, and the preservation destination is /dev/sda1.

Right-click on the preservation target /dev/sdb and select Acquire Image.

Other than the save destination, I use the defaults. The settings are to save in E01 format, splitting every 2GB.

You can change the split size from Split size or adjust the hash calculation settings from Hash calculation / verification.

If you are using it for work, it is good to calculate two or more hash values to prepare for collisions.

Press Start to begin disk preservation, and the progress will be displayed.

Confirmation

When the preservation is complete, you can confirm that .E01 files and a .info file are preserved on the specified disk.

The .info file records the version of Guymager used for preservation, detailed information, and the hash values of the preserved image.

Conclusion

By using Tsurugi Linux, I was able to easily preserve the disk through a GUI.

Compared to C.A.IN.E., being able to switch Unlock per disk might be an advantageous point.

Also, since there is an analysis environment called [LAB], it would be a good choice if you want to do both preservation and analysis.

This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/c3a40c4977fe48

Disk Preservation and Imaging with C.A.IN.E. Linux

sumeshi_kun — Sat, 30 Nov 2024 05:30:34 +0000

Overview

As the name suggests, C.A.IN.E. (Computer Aided Investigative Environment) is an investigative support environment for PCs. While there are several Linux distributions designed for forensics, C.A.IN.E. stands out because it's specifically engineered for that purpose, making it intuitive to use with well-organized documentation. I personally recommend it.

In this article, I will cover how to preserve disk images of devices under forensic investigation using C.A.IN.E.

https://www.caine-live.net/

I have also experimented with the Tsurugi and Paladin versions.

C.A.IN.E. is an Ubuntu-based OS.

Launch

In this article, I will focus on C.A.IN.E. 13.0 "WARP". After downloading, make sure to check the hash value:

› certutil -hashfile caine13.0.iso sha256
SHA256 hash of caine13.0.iso:
6d25180757d6a8a71e98706009d7a9ba3613131727fc96c2037d78bbd4c8ce3a
CertUtil: -hashfile command completed successfully.

In practice, you'd likely boot from USB on the target device, but for explanatory purposes, I will use VMware this time.

Preservation Procedure

The official website provides instructions on how to preserve image files. Please refer to it as well:
Imaging with CAINE

In this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the disk image to be preserved. It's small at 64GB (compressed to 80MB), making it convenient for testing.

Preparation

First, adjust the time zone to match your local region. Also, make sure to record the actions taken and their timestamps during preservation. For detailed guidelines, refer to trusted organizations.

Mounting the Disk

Click on the Mounter (the green HDD icon at the bottom right of the screen) to mount the target for preservation. Using this Mounter ensures the disk is mounted in ReadOnly mode for safety.

Here, the target for preservation is Test_volume.

Next, set up the destination for the image. Prepare a disk larger than the preservation image (128GB), partition it, and then right-click the Mounter icon to switch to Writable mount mode.

Be cautious, as disks mounted from this point will be in Writable mode. As before, select the disk and click OK to confirm it's mounted as Writable.

Preservation

Use Guymager to perform the image preservation. Right-click on /dev/sdb, the target disk, and select Acquire Image.

While there are various settings available, I will proceed with mostly the defaults. The image will be saved in E01 format, split into 2GB segments.

Click Start to begin the disk preservation. The progress will be displayed.

Confirmation

Once the preservation is complete, you can verify that the .E01 files and a .info file are saved on the specified disk.

The .info file contains details like the version of Guymager used, detailed information, and the hash value of the preserved image.

Conclusion

By using C.A.IN.E., I was able to easily preserve the disk through a GUI. It includes essential features like default ReadOnly mode, showing that it's developed with real forensic use in mind.

Personally, I find it quite user-friendly, so having a Live boot USB ready and handy might be a good idea.

This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/a497f834ce1bbc

How to Run Komga PDF Viewer on QNAP NAS

sumeshi_kun — Sat, 20 Jul 2024 13:57:08 +0000

Overview

I bought a QNAP NAS, and it seems Docker is supported on it.
ChatGPT recommended a PDF viewer that can be set up on-premises like Apple's Books, called Komga.

Here's how it looks in the end. It's a web application, so you can access it from a smartphone.

https://komga.org/

Environment

NAS Model	Used Application
QNAP TS-133	Container Station

It's one of the cheapest entry-level models. If you have a newer QNAP product that runs Container Station, it should work similarly.

Setup Procedure

Confirm UID, GID

Since SSH is disabled by default, you need to enable it using tools like Qfinder Pro. Select the NAS, then choose Connect via SSH.

Once enabled, you can SSH using tools like WSL or Putty.

$ ssh {{USER_NAME}}@{{NAS_IP_ADDRESS}}

Once SSHed in, execute the following command to check UID and GID. Typically, if you're the first user, UID=1000, GID=100 should be fine.

$ id {{USER_NAME}}
uid=1000({{USER_NAME}}) gid=100(everyone)

Reference: https://www.forum-nas.fr/threads/tuto-se-connecter-%C3%A0-son-nas-qnap-par-ssh.19604/

Create config, data Directories

When you install Container Station, a /Container directory should be created. Under /Container, create a komga directory, and under /Container/komga, create config and data directories.

Run Komga Application

From Container Station > Applications > Create, input the following Docker-Compose configuration to create the container. Adjust each item as necessary.

version: '3.8'

services:
  komga:
    image: gotson/komga
    container_name: komga
    volumes:
      - '/share/CE_CACHEDEV1_DATA/Container/komga/config:/config'
      - '/share/CE_CACHEDEV1_DATA/Container/komga/data:/data'
    ports:
      - 8282:25600
    user: "1000:100"
    restart: unless-stopped

Volumes

/share/CE_CACHEDEV1_DATA/Container/komga/config:/config

Specify Host Directory:Container Directory.

CE_CACHEDEV1_DATA may vary depending on your environment. Check the volume mount point if it fails.

Ports

8282:25600

Specify Host Port:Container Port.

25600 is Komga's default, so you can leave it unchanged. Use 8282 or any port you prefer for accessing.

User

"1000:100"

Specify the previously mentioned UID:GID.

Execution Result

After waiting a bit, access via http://{{NAS_IP_ADDRESS}}:8282 should be available.

On first access, create an account and proceed.

When adding PDFs, place them in /Container/komga/data and reference them from the web application.

Reference: https://www.forum-nas.fr/threads/tuto-installation-de-komga-en-docker-sur-un-nas-qnap-container-station.19616/

This post has been translated by GPT-4.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/2e905fa139d37b

Quickly Search & Extract Files from Windows Disk Images

sumeshi_kun — Sat, 25 Nov 2023 10:19:04 +0000

Overview

If you work in digital forensics, incident response, or malware analysis, you probably deal with disk images all the time.
And sooner or later, you’ll want to find specific files inside an image and extract them for analysis.

Sure, you can mount images with tools like FTK Imager or Arsenal Image Mounter and browse the filesystem manually.
But doing that for tens or hundreds of images? And repeating the same clicks over and over?
That’s exactly the kind of workflow that should be automated — so I built these tools.

https://github.com/sumeshi/ntfsdump
https://github.com/sumeshi/ntfsfind

These tools let you search and extract files, directories, and alternate data streams (ADS) directly from disk image files — without mounting them.

For example, you can search like this:

> ntfsfind.exe IMAGEFILE.raw ".*\.evtx"
/Windows/System32/winevt/Logs/Setup.evtx
/Windows/System32/winevt/Logs/Microsoft-Windows-All-User-Install-Agent%4Admin.evtx
/Logs/Windows PowerShell.evtx
/Logs/Microsoft-Windows-Winlogon%4Operational.evtx
/Logs/Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
...

And then pipe the results directly into another command to extract them:

> ntfsfind.exe IMAGEFILE.raw ".*\.evtx" | ntfsdump.exe IMAGEFILE.raw

For more details, check out the README on GitHub.
Stars are always welcome ⭐

Usage

Precompiled binaries are available on GitHub Releases:

https://github.com/sumeshi/ntfsfind/releases
https://github.com/sumeshi/ntfsdump/releases

The following command searches for .evtx files inside a dd (raw) image file called ntfs.raw.
The second argument is a regex query. Note that file paths must use / as the separator — this is consistent across both Linux and Windows builds.

> ntfsfind.exe .\ntfs.raw ".*\.evtx"

To extract a specific file from the root of the image:

> ntfsdump.exe .\ntfs.raw "/hoge.txt"

You can also pipe search results into ntfsdump to extract many files in one go:

> ntfsfind.exe IMAGEFILE.raw ".*\.evtx" | ntfsdump.exe IMAGEFILE.raw

Since ntfsdump simply reads paths from standard input, you’re free to redirect, filter, or preprocess the list however you like.

Installation

Precompiled Binaries

Prebuilt binaries for Windows and Linux (Ubuntu) are available on GitHub Releases.
Just download the appropriate file and run it.

https://github.com/sumeshi/ntfsdump/releases
https://github.com/sumeshi/ntfsfind/releases

Install via PyPI

Python 3.13 or newer is supported.

$ pip install ntfsdump ntfsfind

https://pypi.org/project/ntfsdump/
https://pypi.org/project/ntfsfind/

Final Thoughts

These tools follow a “small, sharp tools” philosophy:
simple, minimal, and easy to carry around in your toolkit.
Ideally, you just keep a single binary handy and use it whenever you need quick, scriptable access to NTFS disk images.

If they help streamline your forensic workflow even a little, I’ll be happy 🙂

Original Post(Japanese): https://zenn.dev/sum3sh1/articles/file-extraction-from-ntfs-image-files

DEV Community: sumeshi_kun

Driving Ghidra Static Analysis with Local LLMs (LM Studio + GhidraMCP Setup)

Overview

Environment

Preparation Steps

Setting Up the Guest OS

Download GhidraMCP

Download Ghidra

Install the GhidraMCP Extension

Run bridge_mcp_ghidra.py

Preparing the Host OS

Edit mcp.json

Analysis

Inside the Analysis VM

On the LM Studio Side

Closing Thoughts

How to Boot Windows from .E01 (EWF) Disk Images with Arsenal Image Mounter

Overview

Operating Environment

Procedure

Mounting the Disk

Booting with VMware Workstation

Conclusion

Reference Sites

Disk Preservation and Imaging with Paladin Linux

Overview

Launch

Preservation Procedure

Preparation

Mounting the Disk

Preservation

Confirmation

Conclusion

Disk Preservation and Imaging with Tsurugi Linux

Overview

Launch

Preservation Procedure

Preparation

Mounting the Disk

Preservation

Confirmation

Conclusion

Disk Preservation and Imaging with C.A.IN.E. Linux

Overview

Launch

Preservation Procedure

Preparation

Mounting the Disk

Preservation

Confirmation

Conclusion

How to Run Komga PDF Viewer on QNAP NAS

Overview

Environment

Setup Procedure

Confirm UID, GID

Create config, data Directories

Run Komga Application

Volumes

Ports

User

Execution Result

Quickly Search & Extract Files from Windows Disk Images

Overview

Usage

Installation

Precompiled Binaries

Install via PyPI

Final Thoughts

Run `bridge_mcp_ghidra.py`

Edit `mcp.json`