# Dynamic Linker Hijacking

Adversaries may execute their won malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD\_PRELOAD on Linux or DYLD\_INSERT\_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, de-conflict mapped symbols, and implement custom functions without changing the original library

On Linux, adversaries may set LD\_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD\_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.

In this example I've built a small static library that when loaded it just prints out "Hello World" you must be careful with these libraries to not consume resources as this will crash the application or make the OS unusable depending on what you've hijacked.

```
#define _GNU_SOURCE
#include <stdio.h>
 
__attribute__((constructor)) void run_hello(void) {
    printf("Hello World\n");
}
```

We proceed to compile this `gcc -shared -fPIC -o /tmp/hello.so hello.c` and we can test the preload with the following

<figure><img src="/files/UZcdImvczf9SUfdPncJn" alt=""><figcaption></figcaption></figure>

But we can also set the environment variable to utilize this library

<figure><img src="/files/3Irf0Cp4ssops7Vq9F6k" alt=""><figcaption></figcaption></figure>

You will notice that almost every binary that utilizes shared libraries will load our malicious one

<figure><img src="/files/PqSVV4yGdkjNmC0QMQ0N" alt=""><figcaption></figcaption></figure>

Now we can use the ld.so.preload file but this is a system shared object and will need root access, using this file is straightforward we create our so file then move it to the /etc/ld.so.preload location and when any application is running it will always use this one first.

<figure><img src="/files/8ci3HZRJamdT5k3IPvkJ" alt=""><figcaption></figcaption></figure>

I've encountered errors since the library can't be preloaded, but this is what will happen with a correct functioning one, every application will try to load it with root level access.

<figure><img src="/files/T3T7z0etJrrmZG9AKU6l" alt=""><figcaption></figcaption></figure>

Reference:

<https://www.getambassador.io/blog/code-injection-on-linux-and-macos>

<https://www.baeldung.com/linux/ld_preload-trick-what-is>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1574-hijack-execution-flow/dynamic-linker-hijacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.