master
7b5bdcf4d3
- Introduced AGENTS.md, README.md, TASKS.md, and implementation_plan.md for Vexer, detailing mission, responsibilities, key components, and operational notes. - Established similar documentation structure for Vulnerability Explorer and Zastava modules, including their respective workflows, integrations, and observability notes. - Created risk scoring profiles documentation outlining the core workflow, factor model, governance, and deliverables. - Ensured all modules adhere to the Aggregation-Only Contract and maintain determinism and provenance in outputs.
25 lines
1.2 KiB
Markdown
25 lines
1.2 KiB
Markdown
# Entry-Point Runtime — C / C++
|
|
|
|
## Signals to gather
|
|
- Dynamically linked ELF (`.dynamic`) with GLIBC references (`GLIBC`, `GLIBCXX`, `libstdc++`).
|
|
- Presence of `/lib64/ld-linux-*.so.*` loaders.
|
|
- Absence of Go/Rust-specific markers.
|
|
- Native supervisor binaries (`nginx`, `envoy`, custom C services).
|
|
- Config files adjacent to the binary (`/etc/app.conf`, YAML/INI).
|
|
|
|
## Implementation notes
|
|
- Treat this detector as the "native fallback": confirm no higher-priority language matched.
|
|
- Collect shared library list to attach as evidence; highlight unusual dependencies.
|
|
- Inspect `EXPOSE` ports and config directories to aid classification.
|
|
- Normalise busybox-style symlinks (actual binary often `/bin/busybox` with applet name).
|
|
|
|
## Evidence & scoring
|
|
- Boost for ELF dynamic dependencies and loader presence.
|
|
- Add evidence for config files, service managers, or env variables.
|
|
- Penalise extremely small binaries without metadata (may be wrappers).
|
|
|
|
## Edge cases
|
|
- Static C binaries may look like Go; rely on build ID absence and library fingerprints.
|
|
- When binary is part of a supervisor stack (e.g., `s6-svscan`), delegate classification to `Supervisor`.
|
|
- Windows native services should be handled by PE analysis (`entrypoint-runtime-overview.md`).
|