diff --git a/pkgs/tools/security/ghidra/0001-Use-protobuf-gradle-plugin.patch b/pkgs/tools/security/ghidra/0001-Use-protobuf-gradle-plugin.patch
new file mode 100644
index 000000000000..b3106802bd5c
--- /dev/null
+++ b/pkgs/tools/security/ghidra/0001-Use-protobuf-gradle-plugin.patch
@@ -0,0 +1,130 @@
+From 913e74b8682f77da94ed7b7d459482b9b23a5d88 Mon Sep 17 00:00:00 2001
+From: roblabla <unfiltered@roblab.la>
+Date: Tue, 28 Dec 2021 14:20:30 +0100
+Subject: [PATCH] Use protobuf gradle plugin
+
+---
+ Ghidra/Debug/Debugger-gadp/build.gradle | 76 +++----------------------
+ build.gradle                            |  6 ++
+ 2 files changed, 15 insertions(+), 67 deletions(-)
+
+diff --git a/Ghidra/Debug/Debugger-gadp/build.gradle b/Ghidra/Debug/Debugger-gadp/build.gradle
+index 1b4922f66..3d2ef8856 100644
+--- a/Ghidra/Debug/Debugger-gadp/build.gradle
++++ b/Ghidra/Debug/Debugger-gadp/build.gradle
+@@ -23,42 +23,19 @@ apply from: "${rootProject.projectDir}/gradle/javaTestProject.gradle"
+ apply from: "${rootProject.projectDir}/gradle/distributableGhidraModule.gradle"
+ 
+ apply plugin: 'eclipse'
+-eclipse.project.name = 'Debug Debugger-gadp'
++apply plugin: 'com.google.protobuf'
+ 
+-configurations {
+-	allProtocArtifacts
+-	protocArtifact
+-}
++eclipse.project.name = 'Debug Debugger-gadp'
+ 
+ def platform = getCurrentPlatformName()
+ 
+-dependencies {
+-	allProtocArtifacts 'com.google.protobuf:protoc:3.17.3:windows-x86_64@exe'
+-	allProtocArtifacts 'com.google.protobuf:protoc:3.17.3:linux-x86_64@exe'
+-	allProtocArtifacts 'com.google.protobuf:protoc:3.17.3:linux-aarch_64@exe'
+-	allProtocArtifacts 'com.google.protobuf:protoc:3.17.3:osx-x86_64@exe'
+-	allProtocArtifacts 'com.google.protobuf:protoc:3.17.3:osx-aarch_64@exe'
+-
+-	if (isCurrentWindows()) {
+-		protocArtifact 'com.google.protobuf:protoc:3.17.3:windows-x86_64@exe'
+-	}
+-	if (isCurrentLinux()) {
+-		if (platform.endsWith("x86_64")) {
+-			protocArtifact 'com.google.protobuf:protoc:3.17.3:linux-x86_64@exe'
+-		}
+-		else {
+-			protocArtifact 'com.google.protobuf:protoc:3.17.3:linux-aarch_64@exe'
+-		}
+-	}
+-	if (isCurrentMac()) {
+-		if (platform.endsWith("x86_64")) {
+-			protocArtifact 'com.google.protobuf:protoc:3.17.3:osx-x86_64@exe'
+-		}
+-		else {
+-			protocArtifact 'com.google.protobuf:protoc:3.17.3:osx-aarch_64@exe'
+-		}
+-	}
++buildscript {
++  dependencies {
++    classpath 'com.google.protobuf:protobuf-gradle-plugin:0.8.18'
++  }
++}
+ 
++dependencies {
+ 	api 'com.google.protobuf:protobuf-java:3.17.3'
+ 	api project(':Framework-AsyncComm')
+ 	api project(':Framework-Debugging')
+@@ -68,43 +45,8 @@ dependencies {
+ 	testImplementation project(path: ':Framework-Debugging', configuration: 'testArtifacts')
+ }
+ 
+-/*protobuf {
++protobuf {
+ 	protoc {
+ 		artifact = 'com.google.protobuf:protoc:3.17.3'
+ 	}
+-}*/
+-
+-task generateProto {
+-	ext.srcdir = file("src/main/proto")
+-	ext.src = fileTree(srcdir) {
+-		include "**/*.proto"
+-	}
+-	ext.outdir = file("build/generated/source/proto/main/java")
+-	outputs.dir(outdir)
+-	inputs.files(src)
+-	dependsOn(configurations.protocArtifact)
+-	doLast {
+-		def exe = configurations.protocArtifact.first()
+-		if (!isCurrentWindows()) {
+-			exe.setExecutable(true)
+-		}
+-		exec {
+-			commandLine exe, "--java_out=$outdir", "-I$srcdir"
+-			args src
+-		}
+-	}
+ }
+-
+-tasks.compileJava.dependsOn(tasks.generateProto)
+-tasks.eclipse.dependsOn(tasks.generateProto)
+-rootProject.tasks.prepDev.dependsOn(tasks.generateProto)
+-
+-sourceSets {
+-	main {
+-		java {
+-			srcDir tasks.generateProto.outdir
+-		}
+-	}
+-}
+-zipSourceSubproject.dependsOn generateProto
+-
+diff --git a/build.gradle b/build.gradle
+index dce3a5149..7a2e637ce 100644
+--- a/build.gradle
++++ b/build.gradle
+@@ -76,6 +76,12 @@ if (flatRepo.isDirectory()) {
+ 			jcenter()
+ 			flatDir name: "flat", dirs:["$flatRepo"]
+ 		}
++		buildscript {
++			repositories {
++				mavenLocal()
++				mavenCentral()
++			}
++		}
+ 	}
+ }
+ else {	
+-- 
+2.33.1
+
diff --git a/pkgs/tools/security/ghidra/build.nix b/pkgs/tools/security/ghidra/build.nix
new file mode 100644
index 000000000000..2e5311696d16
--- /dev/null
+++ b/pkgs/tools/security/ghidra/build.nix
@@ -0,0 +1,177 @@
+{ stdenv
+, fetchzip
+, fetchurl
+, fetchFromGitHub
+, lib
+, gradle
+, perl
+, makeWrapper
+, openjdk11
+, unzip
+, makeDesktopItem
+, autoPatchelfHook
+, icoutils
+, xcbuild
+, protobuf3_17
+, libredirect
+}:
+
+let
+  pkg_path = "$out/lib/ghidra";
+  pname = "ghidra";
+  version = "10.1.1";
+
+  src = fetchFromGitHub {
+    owner = "NationalSecurityAgency";
+    repo = "Ghidra";
+    rev = "Ghidra_${version}_build";
+    sha256 = "sha256-0hj9IVvTxgStCbfnTzqeKD+Q5GnGowDsIkMvk2GqJqY=";
+  };
+
+  desktopItem = makeDesktopItem {
+    name = "ghidra";
+    exec = "ghidra";
+    icon = "ghidra";
+    desktopName = "Ghidra";
+    genericName = "Ghidra Software Reverse Engineering Suite";
+    categories = "Development;";
+  };
+
+  # postPatch scripts.
+  # Tells ghidra to use our own protoc binary instead of the prebuilt one.
+  fixProtoc = ''
+    cat >>Ghidra/Debug/Debugger-gadp/build.gradle <<HERE
+protobuf {
+  protoc {
+    path = '${protobuf3_17}/bin/protoc'
+  }
+}
+HERE
+  '';
+
+  # Adds a gradle step that downloads all the dependencies to the gradle cache.
+  addResolveStep = ''
+    cat >>build.gradle <<HERE
+task resolveDependencies {
+  doLast {
+    project.rootProject.allprojects.each { subProject ->
+      subProject.buildscript.configurations.each { configuration ->
+        resolveConfiguration(subProject, configuration, "buildscript config \''${configuration.name}")
+      }
+      subProject.configurations.each { configuration ->
+        resolveConfiguration(subProject, configuration, "config \''${configuration.name}")
+      }
+    }
+  }
+}
+void resolveConfiguration(subProject, configuration, name) {
+  if (configuration.canBeResolved) {
+    logger.info("Resolving project {} {}", subProject.name, name)
+    configuration.resolve()
+  }
+}
+HERE
+  '';
+
+  # fake build to pre-download deps into fixed-output derivation
+  # Taken from mindustry derivation.
+  deps = stdenv.mkDerivation {
+    pname = "${pname}-deps";
+    inherit version src;
+
+    patches = [ ./0001-Use-protobuf-gradle-plugin.patch ];
+    postPatch = fixProtoc + addResolveStep;
+
+    nativeBuildInputs = [ gradle perl ] ++ lib.optional stdenv.isDarwin xcbuild;
+    buildPhase = ''
+      export GRADLE_USER_HOME=$(mktemp -d)
+
+      # First, fetch the static dependencies.
+      gradle --no-daemon --info -Dorg.gradle.java.home=${openjdk11} -I gradle/support/fetchDependencies.gradle init
+
+      # Then, fetch the maven dependencies.
+      gradle --no-daemon --info -Dorg.gradle.java.home=${openjdk11} resolveDependencies
+    '';
+    # perl code mavenizes pathes (com.squareup.okio/okio/1.13.0/a9283170b7305c8d92d25aff02a6ab7e45d06cbe/okio-1.13.0.jar -> com/squareup/okio/okio/1.13.0/okio-1.13.0.jar)
+    installPhase = ''
+      find $GRADLE_USER_HOME/caches/modules-2 -type f -regex '.*\.\(jar\|pom\)' \
+        | perl -pe 's#(.*/([^/]+)/([^/]+)/([^/]+)/[0-9a-f]{30,40}/([^/\s]+))$# ($x = $2) =~ tr|\.|/|; "install -Dm444 $1 \$out/maven/$x/$3/$4/$5" #e' \
+        | sh
+      cp -r dependencies $out/dependencies
+    '';
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+    outputHash = "sha256-Yxf6g908+fRRUh40PrwNUCTvxzlvSmwzE8R+3ZkRIvs=";
+  };
+
+in stdenv.mkDerivation rec {
+  inherit pname version src;
+
+  nativeBuildInputs = [
+    gradle unzip makeWrapper icoutils
+  ] ++ lib.optional stdenv.isDarwin xcbuild;
+
+  dontStrip = true;
+
+  patches = [ ./0001-Use-protobuf-gradle-plugin.patch ];
+  postPatch = fixProtoc;
+
+  buildPhase = (lib.optionalString stdenv.isDarwin ''
+    export HOME=$(mktemp -d)
+
+    # construct a dummy /etc/passwd file - something attempts to determine
+    # the user's "real" home using this
+    DUMMY_PASSWD=$(realpath ../dummy-passwd)
+    cat > $DUMMY_PASSWD <<EOF
+    $(whoami)::$(id -u):$(id -g)::$HOME:$SHELL
+    EOF
+
+    export NIX_REDIRECTS=/etc/passwd=$DUMMY_PASSWD
+    export DYLD_INSERT_LIBRARIES=${libredirect}/lib/libredirect.dylib
+  '') + ''
+
+    export GRADLE_USER_HOME=$(mktemp -d)
+
+    ln -s ${deps}/dependencies dependencies
+
+    sed -i "s#mavenLocal()#mavenLocal(); maven { url '${deps}/maven' }#g" build.gradle
+
+    gradle --offline --no-daemon --info -Dorg.gradle.java.home=${openjdk11} buildGhidra
+  '';
+
+  installPhase = ''
+    mkdir -p "${pkg_path}" "$out/share/applications"
+
+    ZIP=build/dist/$(ls build/dist)
+    echo $ZIP
+    unzip $ZIP -d ${pkg_path}
+    f=("${pkg_path}"/*)
+    mv "${pkg_path}"/*/* "${pkg_path}"
+    rmdir "''${f[@]}"
+
+    ln -s ${desktopItem}/share/applications/* $out/share/applications
+
+    icotool -x "Ghidra/RuntimeScripts/Windows/support/ghidra.ico"
+    rm ghidra_4_40x40x32.png
+    for f in ghidra_*.png; do
+      res=$(basename "$f" ".png" | cut -d"_" -f3 | cut -d"x" -f1-2)
+      mkdir -pv "$out/share/icons/hicolor/$res/apps"
+      mv "$f" "$out/share/icons/hicolor/$res/apps/ghidra.png"
+    done;
+  '';
+
+  postFixup = ''
+    mkdir -p "$out/bin"
+    ln -s "${pkg_path}/ghidraRun" "$out/bin/ghidra"
+    wrapProgram "${pkg_path}/support/launch.sh" \
+      --prefix PATH : ${lib.makeBinPath [ openjdk11 ]}
+  '';
+
+  meta = with lib; {
+    description = "A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission";
+    homepage = "https://ghidra-sre.org/";
+    platforms = [ "x86_64-linux" "x86_64-darwin" ];
+    license = licenses.asl20;
+  };
+
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 7c37f80b8f15..8b3ba4b1e7f5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3106,6 +3106,8 @@ with pkgs;
 
   ghdorker = callPackage ../tools/security/ghdorker { };
 
+  ghidra = callPackage ../tools/security/ghidra/build.nix { };
+
   ghidra-bin = callPackage ../tools/security/ghidra { };
 
   gif-for-cli = callPackage ../tools/misc/gif-for-cli { };