Skip to main content
The ProjectHandle object provides access to several project-level methods in VulHunt rules. It allows to enumerate functions, search for patterns, decompile code, and more.

Fields

Methods

Reference

architecture

The architecture field contains the architecture of the analyzed binary in the triplet format (e.g., "AARCH64:LE:64", "X86:LE:64").

size_of

Returns the size in bytes of the given type name.

lookup_prototype

Looks up a function prototype by name in the type database.

lookup_type

Looks up a type by name in the type database.

register_name

Returns the architecture register name for a variable that refers to a register. Accepts an IRTerm with kind VAR. Returns nil if the variable is not a register.

resolve_type

Expands a type term by resolving aliases and typedefs.

decompile

Decompiles one or more functions based on a string (function name), AddressValue (function address), or FunctionQuery object. Returns DecompiledFunction or DecompiledFunction[] when using FunctionQuery with all=true.
decompile requires enabling the decompiler feature via the extension API.

functions

Returns one or more functions based on a string (function name), AddressValue (function address), FunctionQuery object, or no input to return all functions. Returns FunctionContext or FunctionContext[] when using FunctionQuery with all=true.

functions_where

Returns FunctionContext[] based on the Lua function given as predicate.

calls_matching

Returns a table of calls matching the provided predicates.

callees_matching

Returns a table of function callees matching the provided predicates.

callee_at

Returns the details of the callee invoked at a specific call site address.
The target address does not need to point exactly at the call instruction: the call site is resolved from the basic block that contains the specified address.

search_bytes

Returns true if the specified byte sequence is found in the binary, false otherwise. Takes a hex pattern string as argument.

find_bytes

Returns a table of addresses where the specified byte sequence is located in the binary. Takes a hex pattern string as argument.
This method returns overlapping matches. For example, if the binary contains the byte sequence 41 41 41 41 at offset 0x0,
returns three matches, at addresses 0x0, 0x1, and 0x2.It is recommended to make the search pattern as unique as possible.

search_string

Returns true if the specified string is found in the binary, false otherwise. Takes a string value and an optional encoding kind as arguments. The kind parameter specifies the string encoding, valid values are:
  • ascii
  • utf8
  • utf16
  • utf16-le
  • utf16le
  • utf16-be
  • utf16be

find_string

Returns a table of addresses where the specified string is located in the binary. Takes a string value and an optional encoding kind as arguments. The kind parameter specifies the string encoding, valid values are:
  • ascii
  • utf8
  • utf16
  • utf16-le
  • utf16le
  • utf16-be
  • utf16be
This method returns overlapping matches. For example, if the binary contains the string AAAA at offset 0x0,
returns three matches, at addresses 0x0, 0x1, and 0x2.It is recommended to make the search pattern as unique as possible.

search_code

Returns a SearchCodeResult if the specified code is found in the binary. Takes a hex pattern string and an optional location string as arguments. The loc parameter is only available on UEFI platforms; valid values are:
  • sw_smi_handlers
  • child_sw_smi_handlers

search_guid

Returns true if the binary references the specified GUID, false otherwise. Takes the GUID and its symbolic name as arguments. (UEFI only)

search_nvram

Returns true if the binary accesses the specified NVRAM variable, false otherwise. Takes the runtime service used to access it (e.g., GetVariable, SetVariable), the variable name, and the vendor GUID as arguments. (UEFI only)

search_ppi

Returns true if the binary uses the specified PPI (PEIM-to-PEIM Interface), false otherwise. Takes the PEI service used to locate it (e.g., LocatePpi), the PPI name, and its GUID as arguments. (UEFI only)

search_protocol

Returns true if the binary uses the specified UEFI protocol, false otherwise. Takes the boot service used to locate it (e.g., LocateProtocol, HandleProtocol), the protocol name, and its GUID as arguments. (UEFI only)

Example

The following example shows UEFI-specific search methods available on the ProjectHandle: