LD_PRELOAD & Shared Library Hijacking

linuxPersistence MechanismsDisk ImageMemory Dump

Location

/etc/ld.so.preload, /etc/ld.so.conf, /etc/ld.so.conf.d/*, LD_PRELOAD environment variable

Description

Dynamic linker configuration files controlling shared library loading order. /etc/ld.so.preload forces a library to load before all others in every dynamically-linked process. LD_PRELOAD environment variable achieves the same per-process.

Forensic Value

LD_PRELOAD hijacking (MITRE T1574.006) is a userland rootkit technique that injects malicious shared libraries into every process. /etc/ld.so.preload is almost never legitimately used and any entry is a strong compromise indicator. The injected library can hook system calls to hide files, processes, and network connections without kernel modification. Checking both the file and environment variables of running processes (/proc/<pid>/environ) is necessary for complete detection.

Tools Required

catlddstringsstraceVolatility 3find

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical