Skip to content
macsyscalls
BSD syscall#362Introduced in macOS 10.3 Panther

svc · unix #362

kqueue

Allocates a new kernel event queue and returns a file descriptor referring to it.

Prototype

int kqueue(void);

Returns: int — kqueue descriptor, -1 with errno on failure

Version history

Not present in any released XNU version.

User-space stub

arm64

mov     x16, #362
svc     #0x80
b.cs    __cerror
ret

x86_64

mov     eax, 0x200016A  ; SYSCALL_CLASS_UNIX | 362
syscall
jb      __cerror
ret

Examples

C — watch a file for writes

int kq = kqueue();
struct kevent change;
EV_SET(&change, fd, EVFILT_VNODE, EV_ADD | EV_CLEAR, NOTE_WRITE, 0, NULL);
kevent(kq, &change, 1, NULL, 0, NULL);

Notes

kqueue is the macOS / BSD answer to epoll. The returned fd is registered against via kevent / kevent64 / kevent_qos to subscribe to file, signal, timer, process, mach-port and user events. libdispatch and Foundation runloops sit on top of kqueue under the hood.

Detection

Creation itself is unremarkable. Defenders should watch for processes registering EVFILT_PROC NOTE_FORK/NOTE_EXIT against unrelated PIDs (process snooping) or EVFILT_FS for filesystem-change monitoring used by stalkerware.

Malware usage

Used by long-running implants to react to filesystem changes (drop-and-relaunch persistence) without busy-polling. NoiseStorm and CrateDepression both used kqueue+EVFILT_VNODE on their persistence path.

Related APIs

keventkevent64kevent_qoskqueue_workloop_ctl

MITRE ATT&CK

Last verified: 2026-05-25