Open Source Binary Analysis

Hunt Vulnerabilities in Binaries with VulHunt

curl --proto '=https' --tlsv1.2 -sSfL https://sh.vulhunt.re | sh
irm https://ps.vulhunt.re | iex
View all installation options →

VulHunt goes beyond signature matching and version inference. Write Lua rules that leverage dataflow analysis, code pattern matching, and decompilation to detect known and unknown vulnerabilities in POSIX binaries and UEFI firmware.

Get Started View on GitHub
x86 & ARMArchitectures
POSIX & UEFIPlatforms
Open SourceCommunity Edition
RustPowered by Rust
vulhunt-ce — scan
$ vulhunt-ce scan --data bias-data --rules CVE-2024-6387.vh \
                  --output results.json --pretty ./sshd.bin
 
Issues for sshd.bin (./sshd.bin)
CVE-2024-6387
 
× Race condition in OpenSSH's sshd signal handling due to the use of functions that are not async-signal-safe
   ╭─[1:6]
1 │ void grace_alarm_handler(int32_t sig) {
   ·      ─────────┬─────────
   ·               ╰── The `grace_alarm_handler` is used as a SIGALRM handler and
   ·                   called from async context.
2 │   bits32_t var1;
3 │   int64_t var2;
4 │   pid_t var3;
5 │   pid_t var4;
6 │   bits64_t var5;
7 │
8 │   if ((ram0x000ea020 == 0) || (ram0x000ec788 == 0)) {
9 │     var3 = getpgid(0);
   ·     ...
$

Core Capabilities

Taint Tracking & Dataflow

Trace attacker-controlled input to dangerous sinks across function calls. Detect command injection, buffer overflows, and use-after-free with sanitizer support.

Code Pattern Matching

Search decompiled code for vulnerability patterns using Weggli-based queries. Architecture-independent detection that generalizes across x86 and ARM binaries.

Cross-Architecture Analysis

A unified Intermediate Representation based on Ghidra's PCode lets one rule work across x86 and ARM, 32- and 64-bit, POSIX binaries and UEFI firmware.

Annotated Results

Findings annotate decompiled code at exact instruction addresses, pinpointing the root cause. Type libraries and FLIRT signatures make results explainable even for stripped binaries.

LLM Integration

Use MCP and skills as part of agentic workflows to automate vulnerability triage, rule generation, and patch analysis.

Integrations & Extensibility

Integrate with your already existing tools and platforms, such as Binary Ninja, and Binarly's Transparency Platform, or extend VulHunt's capabilities by directly modifying the core analysis engine.

Get Started in Four Steps

01

Install

Install via a one-liner, pull the Docker image, or build from source. VulHunt runs on Linux, macOS, and Windows.

02

Write Rules

Write Lua rules that use dataflow analysis, code pattern matching, and decompilation to detect vulnerabilities in binaries.

03

Scan

Run VulHunt against your target binaries or firmware images and get annotated results pinpointing the root cause in decompiled code.

04

Analyze

Review findings with pretty-printed output or integrate machine-readable JSONL streams into your security pipeline.

Start Hunting Vulnerabilities in Binaries

VulHunt Community Edition is developed by Binarly's REsearch team and is fully open source.
Install it, write your first rule, and scan a binary in minutes.

Get Started