leveragingldaudittobeatldpreload-ribak2020

2025-04-02

Leveraging LD_AUDIT to Beat the Traditional Linux Library Preloading Technique

by Lior Ribak

October 13, 2020

Sentinel One

https://www.sentinelone.com/labs/leveraging-ld_audit-to-beat-the-traditional-linux-library-preloading-technique/

Notes
Linux
Linux malware
malware
dynamic linker, dynamic loader
ld.so
LD_PRELOAD
shared object
library call hooking, hooking
process hiding
rootkit
userland rootkit
injection
The LD_PRELOAD trick: https://www.goldsborough.me/c/low-level/kernel/2016/08/29/16-48-53-the_-ld_preload-_trick/
LD_AUDIT
rtld-audit https://man7.org/linux/man-pages/man7/rtld-audit.7.html
constructor
LD_AUDIT loads before LD_PRELOAD
la_version
la_objsearch
disabling LD_PRELOAD libraries with la_objsearch
libprocesshider
/etc/ld.so.preload
la_objopen
la_symbind64
debugger
reverse engineer
struct link_map
LA_FLG_BINDTO
LA_FLG_BINDFROM
readdir
libc, glibc
ps
Hijack Execution Flow: Dynamic Linker Hijacking https://attack.mitre.org/techniques/T1574/006/
MITRE ATT&CK
ldpreload-disable https://github.com/hc0d3r/ldpreload-disable
incident response
libpreloadvaccine https://github.com/ForensicITGuy/libpreloadvaccine
Hiding Linux processes for fun + profit https://sysdig.com/blog/hiding-linux-processes-for-fun-and-profit/
ForensicITGuy
_dl_runtime_resolve() https://ypl.coffee/dl-resolve/
Understanding Linux ELF RTLD internals http://s.eresi-project.org/inc/articles/elf-rtld.txt

Links to this note

Recent Posts