code-pattern-matching
Code Pattern Matching
Search for code patterns in decompiled output using the Weggli pattern matching engine.
When to use
- Find specific code patterns in decompiled functions (e.g.,
memcpy(dst, src, len)) - Search for vulnerable code constructs across functions
- Match variable usage patterns with semantic constraints
- Locate specific function call patterns with regex filtering
Instructions
Using the VulHunt MCP tools, open the project (open_project) and run the following Lua query (query_project), adapting it as needed:
local decomp = project:decompile(<target_function>)
local matches = decomp:query({
raw = true, -- If true, the query will be used as-is; otherwise, it will be wrapped in {{}}
query = [[<query>]]
})
return matches:dump() -- matches:dump() already returns a table
The <query> parameter is a query written in Weggli, the default pattern matching engine.
Possible values for <target_function>:
- A string, e.g.
"system" - An AddressValue
- VulHunt APIs return addresses as an AddressValue
- To build an AddressValue, use for example:
AddressValue.new(0x1234)
- A regex, e.g.
{matching = "<regex>", kind = "symbol", all = true} - A byte pattern, e.g.
{matching = "41544155", kind = "bytes", all = true}
allis a boolean. If set totrue, it returns a table containing all matching functions. Iffalse(default), it returns only the first matching value. The for loop is not necessary if the function target is only one (i.e.allis not set to true)
Returns a JSON object containing all matched code and their addresses.
Additional Options
decomp:query{
raw = true,
unique = true, -- captured variables must refer to different nodes
query = [[ $FN($DST, $SRC, $SIZE); ]],
regexes = {
"$FN=memcpy|memmove|strncpy", -- function name must match one of these
"$SIZE!=^[0-9]+$", -- size must NOT be a plain numeric constant
}
}
References
- decompiled-function.md - Query syntax and methods for decompiled function objects
- syntax-match-result.md - Structure of returned match results
URLs to additional documentation pages are available at https://vulhunt.re/llm.txt
Related Skills
- decompiler (
/decompiler) - Required prerequisite for code pattern matching; use it to decompile functions before searching for patterns - functions (
/functions) - Use this to find target functions before decompiling and pattern matching
More from vulhunt-re/skills
decompiler
Decompile a function to C-like pseudocode for human-readable analysis. Use to understand function logic, review control flow, or prepare for code pattern matching.
16functions
Find and list functions in a binary by name, address, regex, or byte pattern. Use as the starting point for binary analysis, to locate specific functions, or to enumerate all functions matching criteria.
6btp-ba2-cli
Interact with the Binarly Transparency Platform (BTP) via CLI commands for uploading firmware, running scans, downloading BA2 archives, and pushing custom rules. Use when you need to interact with the Binarly Transparency Platform or working with BA2s.
6call-sites
Find all locations where functions are called in a binary. Use when analyzing callers of a function, checking call relationships, or identifying which functions invoke a specific API.
6dataflow-analysis
Track data flow between function parameters, calls, and arguments using taint analysis. Use when detecting vulnerabilities like command injection, buffer overflows, or tracing user input to dangerous functions.
6byte-pattern-matching
Search for raw byte patterns (hex sequences, opcodes) in binary code. Use when looking for specific instruction sequences, machine code patterns, UEFI SMI handlers, or known vulnerability signatures by their byte representation.
5