byte-pattern-matching

Byte Pattern Matching

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "byte-pattern-matching" with this command: npx skills add vulhunt-re/skills/vulhunt-re-skills-byte-pattern-matching

Byte Pattern Matching

Search for raw byte patterns (hex sequences) in binary code.

When to use

  • Find specific instruction sequences by their machine code bytes

  • Locate code patterns when the raw opcode bytes are known

  • Search for known vulnerability signatures by byte pattern

  • Find UEFI-specific patterns like SMI handlers or protocol usage

Instructions

Using the VulHunt MCP tools, open the project (open_project ) and run the following Lua query (query_project ), adapting it as needed:

local result = project:search_code("<byte_pattern>")

if result then local entry = { function_address = tostring(result.function_address), start_address = tostring(result.start_address), end_address = tostring(result.end_address), instructions = {}, }

for _, insn in ipairs(result.insns) do table.insert(entry.instructions, { mnemonic = insn.mnemonic, address = tostring(insn.address), }) end

return entry end

The byte pattern is a hex string (e.g., "554889e5................" , where .. matches any byte).

Returns a JSON object containing:

  • function_address

  • the address of the function containing the match

  • start_address

  • the start address of the matched pattern

  • end_address

  • the end address of the matched pattern

  • instructions

  • list of matched instructions with their mnemonics and addresses

UEFI Platform

For UEFI targets, additional functions and options are available:

-- Search code within sw_smi_handlers local result = project:search_code("<byte_pattern>", "sw_smi_handlers")

-- Search code within child_sw_smi_handlers local result = project:search_code("<byte_pattern>", "child_sw_smi_handlers")

-- Search for a protocol GUID (returns a boolean) local guid_found = project:search_guid("5B1B31A1-9562-11D2-8E3F-00A0C969723B", "EFI_LOADED_IMAGE_PROTOCOL_GUID")

-- Search for an NVRAM variable (returns a boolean) local nvram_found = project:search_nvram("GetVariable", "PlatformLang", "8BE4DF61-93CA-11D2-AA0D-00E098032B8C")

-- Search for a protocol (returns a boolean) local protocol_found = project:search_protocol("LocateProtocol", "PCD_PROTOCOL_GUID", "11B34006-D85B-4D0A-A290-D5A571310EF7")

-- Search for a PPI (returns a boolean) local ppi_found = project:search_ppi("LocatePpi", "PPIName", "9C21FD11-434A-12D3-D10D-109048052C8A")

NOTE: The architecture of the loaded binary can be obtained using project.architecture .

References

  • instruction.md - All methods and fields for an instruction

URLs to additional documentation pages are available at https://vulhunt.re/llm.txt

Related Skills

  • code-pattern-matching (/code-pattern-matching ) - For higher-level semantic pattern matching in decompiled code, while byte-pattern-matching works at the raw instruction level

  • decompiler (/decompiler ) - Decompile matched code to understand what the byte pattern represents

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

decompiler

No summary provided by upstream source.

Repository SourceNeeds Review
5-vulhunt-re
General

functions

No summary provided by upstream source.

Repository SourceNeeds Review
4-vulhunt-re
General

call-sites

No summary provided by upstream source.

Repository SourceNeeds Review
4-vulhunt-re
Coding

btp-ba2-cli

No summary provided by upstream source.

Repository SourceNeeds Review
4-vulhunt-re