tracee
tracee copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
[FEAT] Create event for collision of SO symbols
Prerequisites
- [ ] This issue is an EPIC issue (add label: EPIC).
- [ ] This issue is an EPIC TASK (add issue to EPIC description).
Select one OR another:
- [x] I'll create a PR to implement this feature (assign to yourself).
- [ ] Someone else should implement this (describe it well).
Feature description
One known way to create hook and running malicious code is using the LD_PRELOAD method.
In this way, an attacker can export the same function as libc or other used shared library, and by loading the malicious shared object before the known one the loader will resolve the imported symbol to be of the malicious shared object instead of the normal one.
To locate this issue, we need event that can check if a shared object loaded to a process has the same symbols as another one.
