svc · unix #3
read
Reads up to nbyte bytes from a file descriptor into a user buffer.
Prototype
ssize_t read(int fildes, void *buf, size_t nbyte);Returns: ssize_t — number of bytes read (0 = EOF), -1 with errno on failure (EAGAIN, EBADF, EINTR, …)
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| fildes | int | in | Open file descriptor (regular file, socket, pipe, device, kqueue, …). |
| buf | void * | out | Caller-owned buffer of at least nbyte bytes. |
| nbyte | size_t | in | Maximum number of bytes to read. Capped at INT_MAX on macOS. |
Version history
Not present in any released XNU version.
User-space stub
arm64
; libsystem_kernel.dylib: _read
mov x16, #3 ; SYS_read
svc #0x80
b.cs __cerror
retx86_64
mov eax, 0x2000003 ; SYSCALL_CLASS_UNIX | 3
syscall
jb __cerror
retExamples
C — read with retry on EINTR
ssize_t n;
do { n = read(fd, buf, sizeof buf); } while (n < 0 && errno == EINTR);Notes
read(2) is dispatched by sys_read in bsd/kern/sys_generic.c, which looks up the fileproc by fd, copies up to nbyte bytes through the file-type-specific fo_read vector, and returns the number written. Non-blocking fds return -EAGAIN immediately when no data is ready.
Detection
ES_EVENT_TYPE_NOTIFY_READDIR covers directory reads; file reads themselves are not first-class ES events, so detection typically relies on KAUTH or DTrace's syscall::read:entry probe.
Malware usage
Used universally — distinctive only when combined with descriptors pulled from suspicious sources (e.g. /dev/urandom for keystream init, /Library/Keychains/* for credential theft).
Related APIs
MITRE ATT&CK
Last verified: 2026-05-25