| Field | Description | Required |
|---|---|---|
author | The author of the rule | Yes |
name | The name of the rule | Yes |
platform | Defines the target platform, i.e., posix or uefi | Yes |
architecture | The architectures supported by the rule. This will only be executed on the supported architectures | Yes |
conditions | Defines the conditions under which the rule is executed or not | No |
types | Defines the type library used to apply the types | No |
signatures | Defines the file containing the signatures to identify function without symbols | No |
extensions | Allows to specify the extensions, such as the use of the decompiler | No |
scopes | Defines the list of scopes | Yes |
Reference
Author
The author field specifies the creator of the rule.Name
The name field contains a user-defined name for the rule.Platform
The platform field specifies which platform should be used to evaluate the rule. Valid values are:posix-binaryefi-moduleefi-standalone
efi-module when the target is an EFI module extracted from a firmware image (e.g., DXE or PEI drivers), and efi-standalone when analyzing a standalone EFI binary individually (such as .efi binaries).
Architecture
The architecture field contains theprocessor:endian:bits triplet defining the architecture where the rule should be evaluated.
It accepts either a single string or a table of strings to target multiple architectures.
Valid values are:
- For processor:
X86,ARM,AARCH64, or*for all - For endian:
LE,BE, or*for all - For bits:
32,64, or*for all
Conditions
The conditions field specifies the circumstances under which the rule is executed. It is represented as a table that may include aname or name_with_prefix filter, platform-specific constraints (such as volume_guids), and optional validate predicates.
For example:
platform = "posix-binary", the conditions field contains the name of the binaries that should be tested.
The name_with_prefix field accepts either a single prefix or a table of prefixes:
platform = "efi-module", the conditions field can also contain the GUID of the EFI volume that should be tested:
name.
The name field accepts either a single name or a table of names.
On POSIX, name is compared against the component name and its linked path; on UEFI, it is compared against the module name.
validate field and are used to perform binary-level checks before the rule runs.
Validators support logical composition and byte/text/regex checks over the analyzed binary file.
- Supported logical operators:
validate:all{...},validate:any{...},validate:not_(...) - Supported predicate:
validate:contains{...}with fields:pattern(required). The string or byte pattern to search for.where. Valid values:validate.anywhere(default)validate:at(n)validate:from(n)
kind. Valid values:bytesorraw(default)asciiutf-8orutf8utf16-le,utf16le, orutf16utf16-beorutf16beregex
where works:
validate.anywhere(default): searches the entire binary for the pattern.validate:at(n): anchors the match at byte offsetn.validate:from(n): searches from byte offsetnto the end.
Types
The types field specifies the location of the type library that should be loaded by the analysis engine. For example:Signatures
The signatures field specifies the signatures library that can be used by the analysis engine to match functions in stripped binaries. The field contains one or more signature entries. Each entry can be a version, a range, or a file location. Valid examples of version entries:Extensions
The extensions field contains any extensions required by this rule and that should be enabled by the engine. It accepts either a single string or a table of strings. For now, the only valid value isdecompiler, which should be used when writing scopes that run syntax (Weggli-style) queries.
Scopes
The scopes field contains a list of scopes that are matched and executed by the engine. Currently, VulHunt supports three scopes:scope:project, scope:functions, and scope:calls which are introduced in more detail in their respective sections.