title: VDSO Hijacking (T1055.014)
id: df00tech-t1055-014
status: experimental
description: "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions)."
references:
  - https://attack.mitre.org/techniques/T1055/014/
  - https://df00tech.com/detections/T1055.014
author: df00tech
date: 2026/04/18
tags:
  - attack.t1055.014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Dynamic linker (ld-linux.so) performing legitimate GOT updates during shared library loading
  - Security tools performing ELF binary analysis and memory inspection
  - "JIT compilers (Java, V8/Node.js) using mprotect to make JIT-compiled code executable"
  - Debug tools inspecting vdso memory for debugging purposes
level: high