open

Prototype

int open(const char *path, int oflag, ...);

Returns: int — file descriptor on success, -1 with errno set on failure

Arguments

Version history

Not present in any released XNU version.

User-space stub

; libsystem_kernel.dylib: _open
mov     x16, #5         ; SYS_open
svc     #0x80
b.cs    __cerror
ret

; libsystem_kernel.dylib: _open
mov     eax, 0x2000005  ; SYSCALL_CLASS_UNIX | 5
syscall
jb      __cerror
ret

Examples

int fd = open("/etc/hosts", O_RDONLY | O_CLOEXEC);
if (fd < 0) { perror("open"); return 1; }

let fd = Darwin.open("/tmp/out.bin", O_WRONLY | O_CREAT | O_TRUNC, 0o644)
guard fd >= 0 else { perror("open"); exit(1) }

adrp    x0, Lpath@PAGE
add     x0, x0, Lpath@PAGEOFF
mov     w1, #0          ; O_RDONLY
mov     x16, #5         ; SYS_open
svc     #0x80

Notes

open(2) traps into the kernel through the BSD syscall path. The kernel resolves the path via VFS, allocates a fileproc + fileglob pair, and returns the lowest unused fd in the calling process. macOS adds the O_CLOEXEC, O_SYMLINK, O_EVTONLY and O_NOFOLLOW_ANY flags on top of the POSIX set.

Detection

Endpoint Security clients can subscribe to ES_EVENT_TYPE_NOTIFY_OPEN or AUTH_OPEN. The kauth listener API exposes the same event at the KAUTH_SCOPE_FILEOP / KAUTH_FILEOP_OPEN scope. Both surface the resolved vnode path and the flags the caller requested.

Malware usage

Loaders routinely call open() directly to bypass higher-level Foundation APIs that may be hooked. The classic XCSSET / Silver Sparrow loaders open and mmap their payload manually to keep the dyld cache out of the picture.

Related APIs

MITRE ATT&CK

• T1005 — Data from Local System
• T1083 — File and Directory Discovery