Auto-RE-Agent：LLM与Ghidra协同的自动化逆向工程新范式

Auto-RE-Agent coordinates multiple LLM agents with the Ghidra reverse engineering platform to automate binary analysis. It lowers the technical threshold for reverse engineering—users don’t need deep expertise to understand program inner workings. Key features include the Dual-LLM Loop (collaborative code understanding), the 11-Signal Parity Engine (anomaly detection), and seamless Ghidra integration. It supports use cases like malware analysis, software audit, legacy system maintenance, and education.

Traditional reverse engineering relies heavily on expert experience, requiring deep knowledge of assembly, OS internals, and program structures. For large complex software, manual analysis takes weeks/months and may miss key details. Recent advances in LLMs (strong code understanding/generation) opened new automation possibilities, leading to Auto-RE-Agent—combining LLM intelligence with professional reverse engineering tools.

Dual-LLM Loop

Two models collaborate: main analysis model for deep code structure/logic understanding; validation model cross-validates results,补充遗漏, corrects misunderstandings (simulating human expert collaboration).

11-Signal Parity Engine

Monitors 11 dimensions (code structure, data flow, control flow etc.) to detect hidden functions, unauthorized modifications, and obfuscation traces via parity checks for inconsistent indicators.

Ghidra Integration

Uses Ghidra's API to auto-execute tasks: disassembly, control flow graph construction, symbol recovery (function/variable names), data type inference. LLM agents process Ghidra's structured data for higher-level reasoning.

1. Security Research & Malware Analysis: Quick screening of unknown samples, identifying malicious modules (keylogging, network comms), detecting malware variants.

2. Software Audit & Compliance: Auditing third-party components for known issues, detecting backdoors, identifying unauthorized modifications.

3. Legacy System Maintenance: Restoring function logic, identifying interfaces/protocols, assisting migration.

4. Education: Lowering entry barrier (no deep assembly knowledge), interactive learning via LLM explanations, practice on real samples.

1. LLM Boundaries: Struggles with heavily obfuscated code (commercial protection), custom optimized algorithms, and large files exceeding context windows.

2. Accuracy Risks: Potential false positives (normal functions as malicious), false negatives (missing real threats), and incorrect explanations.

3. Resource Consumption: Long analysis time for large files, high memory usage (needs 8GB+ RAM), limited batch processing.

4. Platform Restriction: Current version mainly supports Windows (exe, dll), with limited support for other platforms (Linux, macOS).

1. Enhanced Multi-Agent System: Extend Dual-LLM Loop to include specialized agents (assembly expert, algorithm identifier, behavior analysis agent).

2. Incremental Analysis: Support segmented analysis of large software, integrating results incrementally.

3. Knowledge Base Integration: Connect with vulnerability databases and malware signature libraries to improve threat detection.

4. Interactive Exploration: Add natural language query features (e.g., "explain this code", "find similar functions") and richer visualizations.

1. Set Reasonable Expectations: Treat Auto-RE-Agent as an assistant, not a replacement for expert judgment.

2. Validate Results: Cross-check key findings with other tools or manual analysis, especially for security decisions.

3. Use as Learning Tool: Gradually understand reverse engineering concepts via the tool, transitioning to professional tools as experience grows.

4. Start with Simple Samples: Beginners should use known-function programs to verify tool accuracy and build understanding.