LIBRARY-FIRST PROTOCOL (MANDATORY)
Before writing ANY code, you MUST check:
Step 1: Library Catalog
- Location:
.claude/library/catalog.json
- If match >70%: REUSE or ADAPT
Step 2: Patterns Guide
- Location:
.claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md
- If pattern exists: FOLLOW documented approach
Step 3: Existing Projects
- Location:
D:\Projects\*
- If found: EXTRACT and adapt
Decision Matrix
| Match | Action |
|---|
| Library >90% | REUSE directly |
| Library 70-90% | ADAPT minimally |
| Pattern exists | FOLLOW pattern |
| In project | EXTRACT |
| No match | BUILD (add to library after) |
Purpose
Perform level 3-4 reverse engineering: runtime tracing, memory dumps, symbolic path exploration, and exploit validation. Built with skill-forge structure-first requirements and prompt-architect constraint/evidence rules.
Use When / Redirect When
- Use when: extracting secrets/keys at runtime, generating inputs to reach deep code paths, validating exploitability, or producing full behavioral reports.
- Redirect when: quick IOC triage (
reverse-engineering-quick), firmware focus (reverse-engineering-firmware), or lightweight triage (reverse-engineer-debug).
Guardrails
- Strictly isolated sandboxes with snapshots; never on production hosts.
- Contain network activity (block/allowlist only); disable unintended propagation.
- Maintain chain-of-custody (hashes, timestamps, environment).
- Confidence ceilings enforced (inference/report ≤0.70, research 0.85, observation/definition 0.95).
Prompt Architecture Overlay
- HARD/SOFT/INFERRED constraints (architecture, obfuscation, goals, risk tolerance, allowed tooling).
- Two-pass refinement: structure (coverage, safety) then epistemic (evidence, ceilings).
- English-only outputs with explicit confidence line.
SOP (Deep Analysis Loop)
- Scope & Toolchain
- Confirm authorization, sample hashes, target platforms, and objectives (exploit validation, unpacking, IOC extraction).
- Select tooling: debuggers, dynamic instrumentation, symbolic executors, decompilers, tracers.
- Static & Preparation
- Unpack/unwrap (if allowed), identify protections (packers, anti-debug), and set hooks.
- Build test harnesses and snapshots; prep controlled inputs.
- Dynamic Execution
- Instrument runtime (syscalls, memory, IPC, network), capture dumps, and trace control/data flows.
- Execute path exploration/symbolic execution to reach guarded code.
- Exploitability & Secrets
- Validate vulnerability reachability, exploit primitives, and mitigations (ASLR/DEP/CFI).
- Extract secrets/keys/configs when permitted; sanitize outputs.
- Validation & Delivery
- Cross-validate static vs. dynamic vs. symbolic findings.
- Produce reproduction steps, mitigations, and IOC set; archive to
skills/security/reverse-engineering-deep/{project}/{timestamp} with MCP tags (WHO=reverse-engineering-deep-{session}, WHY=skill-execution).
Deliverables
- Full behavioral report with traces, dumps (hashed), and IOC inventory.
- Exploitability assessment with mitigations and recommended fixes.
- Reproduction steps, harnesses/scripts, and sanitized artifacts.
Quality Gates
- Structure-first documentation; missing resources/examples/tests logged for follow-up.
- Safety controls verified (isolation, snapshots, network controls).
- Evidence per claim with confidence ceilings; dual validation for critical findings.
- Chain-of-custody recorded (hashes, env, timestamps).
Anti-Patterns
- Running without snapshots or rollback plan.
- Exposing live malware to external services.
- Over-claiming exploitability without proof-of-reach.
- Skipping escalation to firmware/quick triage paths when better fit.
Output Format
- Scope + constraints table (HARD/SOFT/INFERRED).
- Behavioral/trace summary, IOC list, and exploitability assessment.
- Mitigation recommendations and validation log.
- Confidence line:
Confidence: X.XX (ceiling: TYPE Y.YY) - reason.
Confidence: 0.72 (ceiling: inference 0.70) - Deep RE SOP rebuilt with skill-forge structure and prompt-architect constraint handling.