Module preload_scanner 

Library prevalence analysis for LD_PRELOAD rootkit detection.

Structs

GloballyLoadedLibrary

A shared library and how widely it is mapped across processes — the core signal for LD_PRELOAD-style rootkit detection: a malicious preload is injected into every process, so an unusually high prevalence is suspicious.

VolatilityElfEntry

One row of Volatility’s linux.elfs output — a memory-mapped ELF image in a process, used as an alternative prevalence source to /proc/<pid>/maps.

Functions

find_globally_loaded_from_elfs

Prevalence ranking from VolatilityElfEntry rows: each path’s fraction of distinct PIDs mapping it, filtered by threshold. Returns (path, prevalence).

find_globally_loaded_libraries

Rank shared objects by how many inspected processes map them, keeping only .so libraries whose prevalence meets threshold — the LD_PRELOAD candidates.

parse_linux_elfs_tsv

Parse Volatility linux.elfs TSV output into VolatilityElfEntry rows (skips the header and blank/comment lines; tolerant of short rows).