- Home
- Techniques
- Enterprise
- Hijack Execution Flow
- LD_PRELOAD
Hijack Execution Flow: LD_PRELOAD
Other sub-techniques of Hijack Execution Flow (11)
Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.[1][2]
Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload
file.[1][2] Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen()
and mmap()
respectively.[3] [4] [5]
LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
Procedure Examples
Name | Description |
---|---|
HiddenWasp |
HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.[6] |
Rocke |
Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[7] |
Mitigations
Mitigation | Description |
---|---|
Execution Prevention |
Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software. |
Detection
Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.
References
- Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.
- The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.
- Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017.
- skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.
- halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.