LD_PRELOAD & Shared Library Hijacking

Location

Description

Dynamic linker configuration files controlling shared library loading order. /etc/ld.so.preload forces a library to load before all others in every dynamically-linked process. LD_PRELOAD environment variable achieves the same per-process.

Forensic Value

LD_PRELOAD hijacking (MITRE T1574.006) is a userland rootkit technique that injects malicious shared libraries into every process. /etc/ld.so.preload is almost never legitimately used and any entry is a strong compromise indicator. The injected library can hook system calls to hide files, processes, and network connections without kernel modification. Checking both the file and environment variables of running processes (/proc/<pid>/environ) is necessary for complete detection.

Tools Required

Collection Commands

cat /etc/ld.so.preload /etc/ld.so.conf > /forensics/output/ld_config.txt

find /proc -maxdepth 2 -name "environ" -exec sh -c 'grep -l LD_PRELOAD {} 2>/dev/null && echo {}' \; > /forensics/output/ld_preload_procs.txt

tar czf /forensics/output/ld_conf.tar.gz /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/ld.so.preload

strings /etc/ld.so.preload > /forensics/output/ld_preload_strings.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

MITRE ATT&CK Techniques

References