Module ld_preload 

LD_PRELOAD injection detection for Linux memory forensics.

LD_PRELOAD is a Linux environment variable that forces shared libraries to be loaded before any others. Attackers abuse it for function hooking, credential stealing, and rootkit injection. This module detects LD_PRELOAD usage by reading each process’s environment block from mm_struct.env_start..env_end and scanning for LD_PRELOAD=.

Suspicious indicators include libraries in /tmp, /dev/shm, hidden paths (dotfiles), and other uncommon locations.

Re-exports

pub use crate::heuristics::classify_ld_preload;

Structs

LdPreloadInfo

Information about an LD_PRELOAD value found in a process’s environment.

Functions

scan_ld_preload

Scan processes for LD_PRELOAD environment variable injection.