VulHunt goes beyond version matching and YARA signatures. Write Lua rules that leverage dataflow analysis, code pattern matching, and decompilation to detect known and unknown vulnerabilities in POSIX binaries and UEFI firmware.
The Problem
Binary analysis has been stuck at version matching and byte patterns — producing false positives and zero context. VulHunt changes that.
YARA & version strings:
Flags components as vulnerable with no explanation why, huge false positive rates.
Source-only tools (Semgrep, CodeQL):
Can't analyze binary dependencies shipped without source code.
Architecture-locked scripts:
Separate tools for x86 vs ARM, POSIX vs UEFI, no unified approach.
No reachability data:
Knowing a vulnerable version is present tells you nothing about exploitability.
Semantic detection:
Rules based on code behavior and dataflow, not version numbers.
Binary-native:
Works directly on compiled binaries, no source code required.
Cross-architecture IR:
One Lua rule runs across x86, ARM, 32/64-bit, POSIX and UEFI.
Annotated results:
Exact decompiled code location with explanation of why it's vulnerable.
Core Capabilities
Everything you need in one framework.
Trace attacker-controlled input from sources to dangerous sinks across function calls. Detect command injection, buffer overflows, and use-after-free with sanitizer support.
Search decompiled code for vulnerability patterns using Weggli-based queries. Architecture-independent detection that generalizes across x86 and ARM binaries.
A unified Intermediate Representation based on Ghidra's PCode — one rule runs across x86 and ARM, 32-bit and 64-bit, POSIX binaries and UEFI firmware.
Findings annotate decompiled code at exact instruction addresses, pinpointing the root cause. Type libraries and FLIRT signatures make results explainable even for stripped binaries.
Use MCP and Agent Skills as part of agentic workflows to automate vulnerability triage, rule generation, and patch analysis. AI-assisted hunting at scale.
Integrate with Binary Ninja and Binarly's Transparency Platform, or extend VulHunt's analysis engine directly. Outputs machine-readable JSONL for any security pipeline.
Getting Started
Up and running in minutes.
One-liner, Docker image, or build from source. Linux, macOS, and Windows.
Dataflow analysis, code pattern matching, and decompilation in Lua rules.
Scan hundreds of binaries or firmware images per second.
Annotated findings or JSONL streams for your security pipeline.
Use Cases
Who uses VulHunt.
Hunt for known and unknown vulnerabilities. Identify new issues based on known code primitives. Rediscover CVEs in firmware and closed-source binaries.
Verify whether shipped binaries are affected by CVEs. Understand vulnerability spread across products. Prioritize patches with reachability data.
Automate binary triage during engagements. Quickly identify exploitable code paths in third-party firmware and embedded systems.
Detect potentially malicious code patterns and backdoors in binaries using the same semantic detection engine used for vulnerability hunting.
Scan vendor-supplied binaries and firmware where source code is unavailable. Catch vulnerabilities that backported fixes miss in version tracking.
Combine VulHunt with LLMs via MCP for automated rule generation, triage, and patch analysis. Built for the era of AI-driven development.
Resources
Introducing VulHunt: A High-Level Look at Binary Vulnerability Detection
Vulnerability REsearch using VulHunt
VulHunt in Practice: Detecting a Remote Code Execution Vulnerability in rsync
Agentic Vulnerability Research with VulHunt
VulHunt in Depth: Inside the Binary Vulnerability Analysis Framework
Start Hunting Today
VulHunt Community Edition is developed by Binarly's REsearch team and fully open source. Install, write your first rule, and scan a binary in minutes.