LD_PRELOAD

0001-01-01

LD_PRELOAD is an environment variable used by ld.so, the dynamic linker/loader on Linux that loads a list of additional, user-specified ELF shared objects that are loaded before all other shared objects.

This is used legitimately for hot patching or instrumenting code and maliciously by malware to install userland hooks, granting an attacker the primitives required to build a rootkit.

https://man7.org/linux/man-pages/man8/ld.so.8.html

Links to this note

in.telnetsnoopd, OpenSSH LD_PRELOAD vulnerability
artoflinuxkernelrootkit-tmpout4-matheuzsec_humzak711
Linux Persistence: Processes
leveragingldaudittobeatldpreload-ribak2020
Main Index
Linux Persistence: SSH
hiddenwasp-intezer2019
symbiote-kennedy2022
unveiling wolfsbane-sperka2024
learninglinuxbinaryanalysis-oneill2016
borges2021
Jynx rootkit
pamgoesrogue-sharma2003
sshbackdors-dumont2018
baines2016
/etc/ld.so.preload persistence
Azazel rootkit
bdvl
BEURK
libpreloadvaccine
libprocesshider
Main Index - L
Skidmap malware
vlany
WolfsBane Hider rootkit

LD_PRELOAD

0001-01-01

Links to this note

Recent Posts

Linux Persistence: Modular Software

2025-04-17 DFIR CTF persistence linux persistence apache asterisk

Linux Persistence: Web Shells

2025-04-16 DFIR persistence webshell linux persistence webshell apache nginx PHP

Linux Persistence: Rootkits

2025-04-15 DFIR persistence rootkit LKM linux persistence LKM rootkit LD_PRELOAD kprobe ftrace ld.so hooking

Linux Persistence: Processes

2025-04-11 DFIR persistence processes linux persistence processes

Defanging Linux LKM Rootkits With cleanup_module()

2025-04-05 Linux LKM rootkits EDR hooks incident response Linux LKM rootkit