VulHunt is a unified platform for vulnerability detection, malware analysis, and more — working from a single source of truth across multiple representations including disassembly, intermediate representation (IR), and decompiled code.
It allows writing high-level Lua rules that match against low-level semantic information extracted from binaries. These rules can detect known and unknown vulnerabilities, patches, malicious code, and other software properties in targets such as POSIX executables and UEFI modules.
VulHunt also exposes its analysis capabilities through an MCP server, giving LLMs flexible access to the full analysis engine. To guide LLMs through common workflows, VulHunt ships a set of Claude Skills — structured instructions that teach an agent how to use VulHunt’s MCP tools for specific tasks.
Quick start
To follow along, install VulHunt:
Linux and macOS
curl --proto '=https' --tlsv1.2 -sSfL https://sh.vulhunt.re | sh
Windows
irm https://ps.vulhunt.re | iex
Quick usage
VulHunt supports two primary usage modes:
Scan mode
Run VulHunt rules against binaries:
vulhunt-ce scan --data /path/to/data --rules /path/to/rules --pretty --output output.json <binary>
MCP mode
Use VulHunt as an MCP server:
vulhunt-ce mcp --data /path/to/data
The --data flag is only required when VulHunt’s data files are not in the
default location. If you installed via the standard installer, you can omit
it.
A first look at rules
VulHunt rules are Lua scripts that define rule metadata and detection. Let’s see an example rule to detect binaries affected by CVE-2024-6387 (also known as regreSSHion). A simplified1 way to detect this vulnerability in sshd binaries is by checking whether syslogv is called from sshsigdie:
author = "Binarly"
name = "CVE-2024-6387"
platform = "posix-binary"
architecture = "*:*:*"
scopes = {
scope:functions{
named = "sshsigdie",
with = function(project, context)
if context:has_call("sshlogv") then
print("This binary is vulnerable to CVE-2024-6387 (regreSSHion)!")
end
end
}
}
