Trace the Source of a SIGKILL by Adding a Kernel Logging Patch

In Linux, a process killed with SIGKILL (kill -9) cannot be intercepted, ignored, or easily traced back to the sender because the signal is non‑catchable. This makes debugging unexpected terminations challenging.

Signal Definitions

The article lists the standard signal numbers defined in the kernel, such as SIGHUP 1, SIGINT 2, up to SIGUSR2 31. These definitions provide context for understanding where SIGKILL 9 fits among other signals.

Kernel Patch to Log SIGKILL Sender

To identify which process sent a SIGKILL, modify the kernel source file kernel/signal.c in the function kill_something_info(). Insert the following code snippet:

if (sig == SIGKILL) {
    struct task_struct *t = current;
    printk(KERN_WARNING "SIGKILL sent by PID:%d (%s) to PID:%d
", t->pid, t->comm, pid);
}

This code captures the current task (the killer), prints a warning with its PID and command name, and the target PID.

Build and Deploy

After applying the patch, recompile the kernel and flash it to the target device. Once the new kernel runs, any SIGKILL will generate a kernel warning message showing the sender’s PID and process name, confirming that the modification works.

Conclusion

Although SIGKILL is designed to be unstoppable and untraceable, a small kernel modification enables administrators to log the origin of such kills, aiding in debugging and system reliability.