LD_PRELOAD: The Hero We Need and Deserve
I’m a huge, HUGE, fan of
LD_PRELOAD let me tell you… oh wait it’s my blog so I’m going to. Where do I begin…
About three years ago, I wrote a blog post about the
LDFLAGS I love.
After writing the post, I realized I should have made the number odd because I think that is part
of BuzzFeed’s “click algorithm.” But more seriously, I realized just how many people on the internet you
can upset when you don’t include
LD_PRELOAD in your favorite
LDFLAGS post. I am going to take the time right
now to make one thing very clear, VERY CLEAR, listen closely:
LD_PRELOAD IS NOT A FLAG.
It is an environment variable. Wake up sheeple! Phew!
Now that’s out of the way, we can continue… I love
LD_PRELOAD. I love it so much I am devoting this
entire blog post to professing my undying love for it. So here we go…
For those who don’t know what
LD_PRELOAD is: TODAY IS YOUR LUCKY DAY!
LD_PRELOAD allows you to override symbols in any library by specifying your new function in a shared object.
When you run
/path/to/my/free.so is loaded
before any other library, including libc. When
mybinary is executed, it uses your custom function for
PRETTY FREAKING AWESOME RIGHT!
FEEL THE POWER! Okay, so moving on…
Fun Times on the Internet
One night, I’m just hanging around in my apartment, laying on my couch, and I think
“oh I’m going to ask the Internet what they’ve done with
LD_PRELOAD.” This is how most of my tweets start
for what it’s worth. So I asked…
yo internet nerds, tell me all the ways you've done dirty things with LD_PRELOAD…. I need them…. for… science…— jessie frazelle 👩🏼🚀 (@jessfraz) January 21, 2019
This tweet blew up in THE BEST WAY! I got some really cool responses I will highlight below.
Not mine but my favorite: https://t.co/zljcn70pmh— ダデイさま (@leifwalsh) January 21, 2019
$ FORCE_PID=42 LD_PRELOAD=./getpid.so bash -c 'echo $$'— 𝙺𝚎𝚎𝚜 𝙲𝚘𝚘𝚔 (@kees_cook) February 10, 2019
For forcing specific bad ssh key generation when the RNG was busted…
i didn't use this but dropbox recently stopped working on non-ext4 filesystems and there's this LD_PRELOAD hack to make it work anyway https://t.co/DqRL12FNMk— 🔎Julia Evans🔍 (@b0rk) January 21, 2019
We actually mention this in an academic paper! https://t.co/qg5ac6vXx7 We used LD_PRELOAD to interpose on the OnStar software modem audio interface.— Karl (@supersat) January 21, 2019
I wrote a silly hack that let you mount an app’s objc runtime as a filesystem so you could easily browse the class hierarchy. It could be inserted via dyld. Here is a screenshot of the Finder browsing the runtime. https://t.co/zyYxSsGaoS— Bill Bumgarner (@bbum) January 22, 2019
enabling rapid-fire railguns in quake3 rocket arena by hooking gettimeofday() via LD_PRELOAD, enable/disable by hooking strstr() and using console commands— HD Moore (@hdmoore) January 21, 2019
I made a thing to disable SSL certificate verification in a bunch of popular applications/libraries 😈https://t.co/jMWQtbl0Kb— Dаvіd Вucһаnаn (@David3141593) January 21, 2019
This isn’t all of them but isn’t the internet utterly awesome! You can poke through the thread more and find ones you love as well. But let’s move on to some mad science…
No, not the Incubus album…
but my science experiment that I did with
LD_PRELOAD. My friends, Greg (@grepory), Aditya (@chimeracoder),
and I came up with this absolutely insane idea for “kernelless”. Yeah, it’s a joke making fun of all the other
“-less”s. But ours was special, m’kay. Greg even made a dope website for it, kernelless.cloud.
So the way we were going to implement this in a mad science way would be as “Cloud Native Syscalls.” Let me tell you about the “Cloud Native Syscalls”…
Cloud Native Syscalls
The first part of the “Cloud Native Syscalls” architecture consists of a daemon on a cloud VM which has a network endpoint accepting incoming syscalls and their arguments. The daemon then performs these syscalls, almost in a code execution as a service type way.
To use “Cloud Native Syscalls”, you compile your binary with the library as follows:
LD_PRELOAD=/path/to/my/cloudnativesyscalls.so /bin/ls. This ensures that all your syscalls when you run
on your host are actually performed in the cloud and sent to the daemon described above.
F’king nuts right… I know. We are working on our A-round don’t worry. It’s truly revolutionary.
Anyways, that was our little science experiment. Hope you liked it, or at least enjoyed all the other people’s
fun hacks. :) Keep