code-pattern-matching

Code Pattern Matching

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "code-pattern-matching" with this command: npx skills add vulhunt-re/skills/vulhunt-re-skills-code-pattern-matching

Code Pattern Matching

Search for code patterns in decompiled output using the Weggli pattern matching engine.

When to use

  • Find specific code patterns in decompiled functions (e.g., memcpy(dst, src, len) )

  • Search for vulnerable code constructs across functions

  • Match variable usage patterns with semantic constraints

  • Locate specific function call patterns with regex filtering

Instructions

Using the VulHunt MCP tools, open the project (open_project ) and run the following Lua query (query_project ), adapting it as needed:

local decomp = project:decompile(<target_function>)

local matches = decomp:query({ raw = true, -- If true, the query will be used as-is; otherwise, it will be wrapped in {{}} query = [[<query>]] })

return matches:dump() -- matches:dump() already returns a table

The <query> parameter is a query written in Weggli, the default pattern matching engine.

Possible values for <target_function> :

  • A string, e.g. "system"

  • An AddressValue

  • VulHunt APIs return addresses as an AddressValue

  • To build an AddressValue, use for example: AddressValue.new(0x1234)

  • A regex, e.g. {matching = "<regex>", kind = "symbol", all = true}

  • A byte pattern, e.g. {matching = "41544155", kind = "bytes", all = true}

all is a boolean. If set to true , it returns a table containing all matching functions. If false (default), it returns only the first matching value. The for loop is not necessary if the function target is only one (i.e. all is not set to true)

Returns a JSON object containing all matched code and their addresses.

Additional Options

decomp:query{ raw = true, unique = true, -- captured variables must refer to different nodes query = [[ $FN($DST, $SRC, $SIZE); ]], regexes = { "$FN=memcpy|memmove|strncpy", -- function name must match one of these "$SIZE!=^[0-9]+$", -- size must NOT be a plain numeric constant } }

References

  • decompiled-function.md - Query syntax and methods for decompiled function objects

  • syntax-match-result.md - Structure of returned match results

URLs to additional documentation pages are available at https://vulhunt.re/llm.txt

Related Skills

  • decompiler (/decompiler ) - Required prerequisite for code pattern matching; use it to decompile functions before searching for patterns

  • functions (/functions ) - Use this to find target functions before decompiling and pattern matching

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

btp-ba2-cli

No summary provided by upstream source.

Repository SourceNeeds Review
-4
vulhunt-re
General

decompiler

No summary provided by upstream source.

Repository SourceNeeds Review
-5
vulhunt-re
General

call-sites

No summary provided by upstream source.

Repository SourceNeeds Review
-4
vulhunt-re