dataflow-analysis
Dataflow Analysis
Perform intra-procedural dataflow analysis to track how data flows within functions.
When to use
- Track if a function parameter flows to a function call argument
- Track if a function call's output flows to another function call's argument
- Find taint propagation paths (e.g., user input reaching dangerous functions)
- Detect vulnerabilities like command injection, buffer overflows
Instructions
Using the VulHunt MCP tools, open the project (open_project) and run the following Lua query (query_project).
To perform dataflow analysis, use project:calls_matching{}:
local calls = project:calls_matching({
to = <target_call>,
More from vulhunt-re/skills
decompiler
Decompile a function to C-like pseudocode for human-readable analysis. Use to understand function logic, review control flow, or prepare for code pattern matching.
17functions
Find and list functions in a binary by name, address, regex, or byte pattern. Use as the starting point for binary analysis, to locate specific functions, or to enumerate all functions matching criteria.
6btp-ba2-cli
Interact with the Binarly Transparency Platform (BTP) via CLI commands for uploading firmware, running scans, downloading BA2 archives, and pushing custom rules. Use when you need to interact with the Binarly Transparency Platform or working with BA2s.
6call-sites
Find all locations where functions are called in a binary. Use when analyzing callers of a function, checking call relationships, or identifying which functions invoke a specific API.
6code-pattern-matching
Search for code patterns in decompiled output using Weggli semantic matching. Use when finding vulnerable code constructs like unchecked memcpy, buffer operations, or specific function call patterns in pseudocode.
6byte-pattern-matching
Search for raw byte patterns (hex sequences, opcodes) in binary code. Use when looking for specific instruction sequences, machine code patterns, UEFI SMI handlers, or known vulnerability signatures by their byte representation.
5