ProjectHandle object provides access to several project-level methods in VulHunt rules.
It allows to enumerate functions, search for patterns, decompile code, and more.
Fields
Methods
Reference
architecture
The architecture field contains the architecture of the analyzed binary in the triplet format (e.g.,"AARCH64:LE:64", "X86:LE:64").
size_of
Returns the size in bytes of the given type name.lookup_prototype
Looks up a function prototype by name in the type database.lookup_type
Looks up a type by name in the type database.register_name
Returns the architecture register name for a variable that refers to a register. Accepts anIRTerm with kind VAR. Returns nil if the variable is not a register.
resolve_type
Expands a type term by resolving aliases and typedefs.decompile
Decompiles one or more functions based on a string (function name),AddressValue (function address), or FunctionQuery object.
Returns DecompiledFunction or DecompiledFunction[] when using FunctionQuery with all=true.
decompile requires enabling the decompiler feature via the extension API.functions
Returns one or more functions based on a string (function name),AddressValue (function address), FunctionQuery object, or no input to return all functions.
Returns FunctionContext or FunctionContext[] when using FunctionQuery with all=true.
functions_where
ReturnsFunctionContext[] based on the Lua function given as predicate.
calls_matching
Returns a table of calls matching the provided predicates.callees_matching
Returns a table of function callees matching the provided predicates.callee_at
Returns the details of the callee invoked at a specific call site address.The target address does not need to point exactly at the call instruction: the call site is resolved from the basic block that contains the specified address.
search_bytes
Returnstrue if the specified byte sequence is found in the binary, false otherwise. Takes a hex pattern string as argument.
find_bytes
Returns a table of addresses where the specified byte sequence is located in the binary. Takes a hex pattern string as argument.This method returns overlapping matches. For example, if the binary contains the byte sequence returns three matches, at addresses
41 41 41 41 at offset 0x0,0x0, 0x1, and 0x2.It is recommended to make the search pattern as unique as possible.search_string
Returnstrue if the specified string is found in the binary, false otherwise. Takes a string value and an optional encoding kind as arguments.
The kind parameter specifies the string encoding, valid values are:
asciiutf8utf16utf16-leutf16leutf16-beutf16be
find_string
Returns a table of addresses where the specified string is located in the binary. Takes a string value and an optional encoding kind as arguments. Thekind parameter specifies the string encoding, valid values are:
asciiutf8utf16utf16-leutf16leutf16-beutf16be
This method returns overlapping matches. For example, if the binary contains the string returns three matches, at addresses
AAAA at offset 0x0,0x0, 0x1, and 0x2.It is recommended to make the search pattern as unique as possible.search_code
Returns aSearchCodeResult if the specified code is found in the binary. Takes a hex pattern string and an optional location string as arguments. The loc parameter is only available on UEFI platforms; valid values are:
sw_smi_handlerschild_sw_smi_handlers
search_guid
Returnstrue if the binary references the specified GUID, false otherwise. Takes the GUID and its symbolic name as arguments. (UEFI only)
search_nvram
Returnstrue if the binary accesses the specified NVRAM variable, false otherwise. Takes the runtime service used to access it (e.g., GetVariable, SetVariable), the variable name, and the vendor GUID as arguments. (UEFI only)
search_ppi
Returnstrue if the binary uses the specified PPI (PEIM-to-PEIM Interface), false otherwise. Takes the PEI service used to locate it (e.g., LocatePpi), the PPI name, and its GUID as arguments. (UEFI only)
search_protocol
Returnstrue if the binary uses the specified UEFI protocol, false otherwise. Takes the boot service used to locate it (e.g., LocateProtocol, HandleProtocol), the protocol name, and its GUID as arguments. (UEFI only)
Example
ProjectHandle: