LD_PRELOAD is an environment variable used by ld.so, the dynamic linker/loader on Linux that loads a list of additional, user-specified ELF shared objects that are loaded before all other shared objects.
This is used legitimately for hot patching or instrumenting code and maliciously by malware to install userland hooks, granting an attacker the primitives required to build a rootkit.
https://man7.org/linux/man-pages/man8/ld.so.8.html
Links to this note
- leveragingldaudittobeatldpreload-ribak2020
- Main Index
- Linux Persistence: SSH
- borges2021
- sshbackdors-dumont2018
- baines2016
- /etc/ld.so.preload persistence
- Azazel rootkit
- bdvl
- BEURK
- hiddenwasp-intezer2019
- Jynx rootkit
- learninglinuxbinaryanalysis-oneill2016
- libpreloadvaccine
- libprocesshider
- Main Index - L
- pamgoesrogue-sharma2003
- Skidmap malware
- symbiote-kennedy2022
- unveiling wolfsbane-sperka2024
- vlany
- WolfsBane Hider rootkit