> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1574-hijack-execution-flow/dynamic-linker-hijacking.md).

# Dynamic Linker Hijacking

Adversaries may execute their won malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD\_PRELOAD on Linux or DYLD\_INSERT\_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, de-conflict mapped symbols, and implement custom functions without changing the original library

On Linux, adversaries may set LD\_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD\_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.

In this example I've built a small static library that when loaded it just prints out "Hello World" you must be careful with these libraries to not consume resources as this will crash the application or make the OS unusable depending on what you've hijacked.

```
#define _GNU_SOURCE
#include <stdio.h>
 
__attribute__((constructor)) void run_hello(void) {
    printf("Hello World\n");
}
```

We proceed to compile this `gcc -shared -fPIC -o /tmp/hello.so hello.c` and we can test the preload with the following

<figure><img src="/files/UZcdImvczf9SUfdPncJn" alt=""><figcaption></figcaption></figure>

But we can also set the environment variable to utilize this library

<figure><img src="/files/3Irf0Cp4ssops7Vq9F6k" alt=""><figcaption></figcaption></figure>

You will notice that almost every binary that utilizes shared libraries will load our malicious one

<figure><img src="/files/PqSVV4yGdkjNmC0QMQ0N" alt=""><figcaption></figcaption></figure>

Now we can use the ld.so.preload file but this is a system shared object and will need root access, using this file is straightforward we create our so file then move it to the /etc/ld.so.preload location and when any application is running it will always use this one first.

<figure><img src="/files/8ci3HZRJamdT5k3IPvkJ" alt=""><figcaption></figcaption></figure>

I've encountered errors since the library can't be preloaded, but this is what will happen with a correct functioning one, every application will try to load it with root level access.

<figure><img src="/files/T3T7z0etJrrmZG9AKU6l" alt=""><figcaption></figcaption></figure>

Reference:

<https://www.getambassador.io/blog/code-injection-on-linux-and-macos>

<https://www.baeldung.com/linux/ld_preload-trick-what-is>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1574-hijack-execution-flow/dynamic-linker-hijacking.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
