Skip to content



mlock - lock the given range of memory so it won't be swapped to disk.


The mlock syscall locks the given range of memory into RAM so it won't be swapped to disk. This is useful in scenarios where you need to access or modify data stored in memory, but don't want it to get overwritten or written to disk by the kernel's virtual memory system. While this syscall ensures that the data will stay in RAM, it can still be accessed by other processes in the system, so caution should be used when using this syscall. One common misuse is allocating too much memory that cannot possibly fit in RAM, resulting in the system becoming unresponsive.


  • addr:const void*[K] - starting address of the range of pages to lock.
  • len:size_t[K] - length of the range of pages to lock.

Available Tags

  • K - Originated from kernel-space.






Monitoring the parameters of the mlock syscall and its return value.

Example Use Case

An example use case for this event could be monitoring suspicous memory locking activity. This could facilitate the detection of malware that attempts to protect its data from scrutiny by using mlock.


This syscall requires root level privileges, so it can potentially be used by malicious actors to lock critical system memory that may cause the system to become unresponsive.

  • mlockall - lock all the process's virtual pages into RAM.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.