Open source · Sandbox-aware · Ollama-native

Reverse engineering that feels like an operator console, not a bag of scripts.

GhostTrace combines a cyberpunk web workspace, a Ghidraaas backend, an Ollama-driven analyst, and a reproducible Windows lab with SSH and x64dbg bridge tooling. It is designed for fast static triage, guided deep dives, and dynamic evidence workflows without losing the thread between tools.

Live Pages
Ollama Local
Ghidraaas
Windows Sandbox
x64dbg Bridge
Open the repo See the workflow
👻
GhostTrace Lab
AI-assisted reverse engineering workbench for static triage, guided decompilation, and sandbox-aware workflows.
Default Ollama model: Godmoded/llama3-lexi-uncensored
By 0xCyberBerserker
Why GhostTrace

An integrated RE workbench for people who want one command surface and one memory model.

Most reverse engineering setups degenerate into tabs, folders, shell history and screenshots. GhostTrace tries to collapse that into one loop: upload a sample, let the assistant triage it, preserve evidence, and carry that context into debugging and sandbox work.

Static-first, evidence-aware

Imports, strings, function indices, decompilation, and triage reports are cached and reused so the analysis gets richer instead of noisier.

Sandbox that is actually reachable

The Windows lab ships with noVNC, RDP, SSH, OEM provisioning, x64dbg autostart bridge and host-side helpers for command execution and file transfer.

Operator-friendly UI

The web app is built around jobs, triage, debugger state and guided next steps, with a design language that looks deliberate instead of generic.

Workflow

One sample, one trail of evidence.

The shape is inspired by good offensive and defensive RE workflows: start broad, shrink uncertainty fast, keep the expensive steps targeted, and always preserve what you learned for the next pass.

01

Upload and analyze

The Flask web UI hashes the sample, forwards it to Ghidraaas, and tracks the resulting analysis job in a persistent sidebar.

02

Auto triage the target

GhostTrace generates structured reports from imports, strings, functions and optional evidence so the assistant can recommend a sensible next move immediately.

03

Escalate into debugging

The x64dbg bridge exposes debugger state, queued requests and findings back into the same workspace, instead of sending you off to a disconnected side tool.

04

Use the sandbox as a lab, not a black hole

The Windows VM is provisioned reproducibly, reachable over SSH, and fed through host-side copy helpers so you can script it instead of babysitting it.

Stack

What ships with the project.

Core platform

  • Flask web UI with job management, chat, triage and x64dbg views
  • Ghidraaas backend with cached imports, strings, functions and decompilation
  • Ollama-compatible assistant orchestration using `Godmoded/llama3-lexi-uncensored` by default
  • Persistent triage reports and dynamic evidence ingestion

Windows lab

  • dockurr/windows profile with OEM first-boot provisioning
  • OpenSSH, noVNC and RDP exposed for real operator access
  • x64dbg with MCP plugin bundle and bridge autostart
  • Sysinternals, Wireshark, Cutter, Rizin, radare2 and more
FAQ

Questions the repo should answer up front.

Is this meant to replace Ghidra, x64dbg or radare2?

No. GhostTrace is the workbench that orchestrates them. The point is to keep context, triage and debugger evidence flowing through one operator-facing surface.

Does the project depend on cloud AI?

No. The default path is Ollama running on the host. The Windows sandbox does not run its own model stack by default.

Is the Windows lab mandatory?

No. The main stack works without it. The sandbox profile is optional and only matters when you want the Windows-side tooling and debugger bridge.

Why are some Windows tools marked optional?

Because upstream packaging is inconsistent on Windows for a few tools. The lab now completes successfully even when `r2ai` or `PE-bear` are unavailable, instead of failing the whole bootstrap.

Can this be misused?

Technically, yes. GhostTrace is intended for legitimate reverse engineering, malware analysis, DFIR, research, and defensive engineering. If someone points it at unauthorized targets or uses it for illicit work, that responsibility sits with the operator. Keep it sharp, not stupid.