Skip to main content
The decompiler extension allows VulHunt rules to decompile functions from the binary and run syntax queries on the resulting pseudocode. This is useful for verifying code patterns that are difficult to express with other capabilities of VulHunt, such as matching specific sequences of statements or conditional structures in the decompiled code.

Enabling the extension

To use the decompiler, add extensions = "decompiler" to your rule:

Decompiling functions

The project:decompile() method accepts a function name, an address, or a pattern query and returns a DecompiledFunction object:
The returned object can be printed to inspect the decompiled pseudocode:
If no matching function is found, project:decompile() returns nil. When using a FunctionQuery with all = true, it returns a table of DecompiledFunction objects instead.

Running queries

Once you have a DecompiledFunction, you can search its pseudocode using Weggli-compatible syntax queries via the query method. The simplest form takes a query string. Use $var to capture named variables and _ as a wildcard:
Query strings are automatically wrapped in {} before execution. For more control, pass a table with additional options:
The regexes field allows filtering matches: use $VAR=pattern to require a match, or $VAR!=pattern to exclude it.

Extracting match results

The query method returns a SyntaxMatchResult object. Use its methods to extract addresses and captured variable bindings from the matches:
  • address_of_match(n) returns the address of the n-th matched element (1-indexed)
  • binding_of_match("$var") returns the code string captured by $var
Both methods return nil if the requested match or variable is not found.
When a query produces multiple results, you can select a specific result using the table form:

Example: verifying a patch

The following example decompiles a function and uses a syntax query to verify that a buffer length check precedes a call to strcpy. If the pattern is found, the rule reports the vulnerability as patched; otherwise, it reports it as a high-severity finding.
For the full walkthrough of this example, see the Buffer Overflow Use Case.