Skip to content

uselib

Intro

uselib - load library into the calling process address space.

Description

The uselib() system call loads a shared library into the calling process's virtual address space, typically at an address chosen by the kernel. After it has been called, the library routines can be used. The library is only loaded for the duration of the process; it is private to each process and other processes do not see the loaded library. Care must be taken when using uselib() because if the same library is loaded multiple times and then unloaded, calls by the process to routines in the libraries will fail and result in an segmentation violation.

There are some edge-cases where uselib() might not work properly, such as when the calling program is not authorised to access the specified library, or if the library is not for the correct architecture.

Arguments

  • library:const char*[K] - Path to the library to load.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_uselib

Type

Kprobe

Purpose

To trace the arguments of the uselib system call.

Example Use Case

Monitor the libraries being loaded by a process. This can be used to detect attempts to perform malicious behavior by loading malicious libraries, or to identify mistakes in program design.

Issues

This system call is not supported on all architectures. Additionally, this system call is not available in the newest versions of the Linux kernel and has been replaced by other system calls.

  • execve
  • munmap

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.