On this page
Workflow: Building Context with the Explain Tab
This guide shows how to use the Explain tab to document your understanding of a binary in Ghidra.
Overview
The Explain tab generates LLM-powered explanations of functions and stores them for later use. It is best for building persistent context across a project.
When to Use the Explain Tab
Use Explain when you want to:
- Understand a function at a high level
- Document findings for later reference
- Capture security-relevant information
- Build a knowledge base as you analyze
For ad-hoc questions, use the Query tab.
Step-by-Step Workflow
Step 1: Select a Function
Navigate to a function in Ghidra:
- Click a function in the Functions window
- Or press G to jump to an address
The Explain tab shows the current function automatically.
Step 2: Generate an Explanation
Click Explain Function to generate a summary.
The explanation includes: - Purpose and behavior - Parameters and return values - Notable operations
Step 3: Review Security Analysis
Expand the security panel to view:
| Field | Description |
|---|---|
| Risk Level | Low / Medium / High risk assessment |
| Activity Profile | Behavioral category |
| Security Flags | Detected patterns |
| Network APIs | Network calls detected |
| File I/O APIs | File operations detected |
Step 4: Edit and Save
If needed:
- Click Edit
- Modify the markdown
- Click Save to store updates
Edits are persisted and protected from auto-overwrite.
Step 5: Clear Analysis (Optional)
Use Clear to remove stored analysis for the current function.
Enhancing Explanations
Using RAG
If you have documents indexed in the RAG tab:
- Enable Use RAG in Query tab before analysis
- Run Explain Function
- The LLM uses relevant document context
Using MCP
If MCP servers are configured:
- Enable Use MCP Tools in Query tab
- Run Explain Function
- The LLM can call tools for extra context
Explain Line
The Explain Line button is currently disabled and marked as “Coming Soon” in GhidrAssist.
Building a Documentation Set
To systematically document a binary:
- Start with entry points and exports
- Follow call chains through key functions
- Prioritize security-relevant functions
- Update explanations as your understanding improves
Explanations are stored by binary hash and function address.