write

Writes up to nbyte bytes from a user buffer to a file descriptor.

Prototype

ssize_t write(int fildes, const void *buf, size_t nbyte);

Returns: ssize_t — number of bytes written, -1 with errno on failure (EPIPE, EFBIG, EDQUOT, …)

Arguments

Name	Type	Dir
fildes	int	in
buf	const void *	in
nbyte	size_t	in

Version history

Not present in any released XNU version.

User-space stub

arm64

mov     x16, #4
svc     #0x80
b.cs    __cerror
ret

x86_64

mov     eax, 0x2000004
syscall
jb      __cerror
ret

Notes

Counterpart to read(2). Goes through fo_write on the fileproc. Short writes are legal on sockets and pipes; callers must loop.

Detection

Not directly observable through Endpoint Security for regular files; AUTH_WRITE only fires on specific filesystem paths via kauth. Network writes can be observed at the socket layer via NetworkExtension content filters.

Malware usage

Used by every dropper that writes a second-stage payload to disk. Look for writes to LaunchAgents/LaunchDaemons directories or to suspicious files in ~/Library/Application Support/.

Related APIs

writevpwritesendsendto

MITRE ATT&CK

T1105 — Ingress Tool Transfer

Last verified: 2026-05-25