Skip to content
macsyscalls

Glossary

libsystem_kernel.dylib

The thin user-space library that hosts every syscall stub on macOS — the layer between your C code and the SVC instruction.

libsystem_kernel.dylib is the lowest-level user-space library on macOS. Every syscall on the platform goes through a stub inside it. When you call open() in C, you're calling _open in this library, not the kernel directly.

A typical stub on arm64 is tiny:

_open:
    mov     x16, #5          ; SYS_open
    svc     #0x80
    b.cs    __cerror         ; on carry, jump to errno handler
    ret

It does three things: puts the syscall number in x16, issues the SVC instruction, and forwards the result (translating the carry flag into an errno return for BSD syscalls).

libsystem_kernel.dylib is part of libSystem.B.dylib, which every Mach-O binary links against. In production it lives inside the dyld shared cache at /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_*, not as a separate file on disk. You can extract it for analysis with dyld-shared-cache-extractor or with the open-source dsc_extractor tool from Apple's dyld project.

For dynamic instrumentation, DYLD_INSERT_LIBRARIES-style hooking against libsystem_kernel.dylib is the classic technique for intercepting every syscall a process makes — though SIP, hardened runtime, and the library-validation flag block it on most modern binaries.