Skip to content

ssetmask

Intro

ssetmask - Change calling thread signal mask

Description

The ssetmask function sets the signal mask of the calling thread to the argument newmask, and returns the previous signal mask of the thread. The calls have no effect on signals that are ignored. The ssetmask() function is equivalent to sigprocmask(2).

Arguments

  • newmask:long[K] - The signal mask to be set.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

ssetmask

Type

Kprobes

Purpose

To detect when threads change their signal masks.

Example Use Case

ssetmask() can be used to detect if a thread is attempting to block certain signals. This is useful to detect certain malicious activities, as it can indicate the presence of signal handlers.

Issues

None

  • signal(2) - Send signal.
  • sigaction(2) - Change signal action.
  • sigprocmask(2) - Examine and change blocked signals.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.