Functions
Scope functions
Scope functions define the execution context and target for VulHunt rules.scope:project: Constructs a Project scope that operates on project-level datascope:functions: Constructs a Functions scope that operates on individual functionsscope:calls: Constructs a Calls scope that operates on function call sites
Variable and result functions
These functions create variables and construct result objects for vulnerability findings.var:named: Creates a named variable annotation for tracking valuesresult:none,result:info,result:unspecified,result:low,result:medium,result:high,result:critical: Construct vulnerability results with specified severity levels.result:infoandresult:unspecifiedare aliases forresult:noneresult:patch: Constructs a result indicating a patch has been identifiedresult:malware: Constructs a result indicating malware has been detected
Annotation functions
Annotation functions attach explanatory information to code elements in vulnerability findings.annotate:at: Annotates a specific address or location with a messageannotate:prototype: Annotates a function’s prototype signatureannotate:assignment: Annotates variable assignments with contextannotate:global: Annotates a global variable with its declarationannotate:variable: Annotates variables with position, index, and type declarationannotate:range: Annotates a range of addresses with explanatory textannotate:operand: Annotates a specific operand at a call site with a message
CVSS functions
CVSS functions construct standardized vulnerability scoring information.cvss:v2: Constructs a CVSS version 2.0 score tablecvss:v3: Constructs a CVSS version 3.0 score tablecvss:v3_1: Constructs a CVSS version 3.1 score tablecvss:v4: Constructs a CVSS version 4.0 score table
Container functions
Container functions provide utilities for working with data collections.container.empty: Checks whether a container has no elements
Utility functions
General-purpose helpers available in all rules.printf(fmt, ...): Formatted print, equivalent toprint(string.format(fmt, ...))
Validate functions
Validate functions are used inside theconditions field of a rule to perform binary-level checks before the rule runs. See Rule Fields for full usage details.
validate:all{...}: All validators must passvalidate:any{...}: Any validator must passvalidate:not_(validator): Negates a validatorvalidate:contains{pattern, where, kind}: Checks for a pattern in the binary. Bothwhereandkindare optional, defaulting tovalidate.anywhereandbytesrespectivelyvalidate:at(n): Anchor the match at byte offsetnvalidate:from(n): Search from byte offsetnto the end