svc · mach trap -31
mach_msg2_trap
Sends and/or receives a Mach message on a port. The Ventura-era replacement for mach_msg_trap that takes its options as a single packed argument.
Prototype
kern_return_t mach_msg2_trap(void *data, uint64_t options, uint64_t msgh_bits_and_send_size, uint64_t msgh_remote_and_local_port, uint64_t msgh_voucher_and_id, uint64_t desc_count_and_rcv_name, uint64_t rcv_size_and_priority, uint64_t timeout);Returns: kern_return_t — KERN_SUCCESS or a MACH_SEND_*/MACH_RCV_* error
Arguments
| Name | Type | Dir | Description |
|---|---|---|---|
| data | void * | inout | Pointer to the outgoing message header (and inline data). Reused for the inbound message on a receive. |
| options | uint64_t | in | MACH_SEND_MSG / MACH_RCV_MSG flags ORed together. |
| msgh_bits_and_send_size | uint64_t | in | Packed: low 32 bits = msgh_bits, high 32 = send size. |
Version history
Not present in any released XNU version.
User-space stub
arm64
; libsystem_kernel.dylib: _mach_msg2_trap
mov x16, #-31 ; SYS_mach_msg2_trap
svc #0x80
retx86_64
; SYSCALL_CLASS_MACH | 31 → 0x100001F
mov eax, 0x100001F
syscall
retNotes
Introduced in macOS 13 Ventura to fold the seven-argument mach_msg_trap into a single SVC with packed arguments — important on arm64 where each trap argument costs a register. mach_msg() in libsystem_kernel now routes through mach_msg2_trap on Ventura+ and falls back to mach_msg_trap on older kernels.
Detection
Endpoint Security has no Mach IPC event. Detection relies on instrumentation in user space (DYLD_INSERT_LIBRARIES of libsystem_kernel.dylib) or, in research contexts, on enabling the lightweight DTrace mach_kernel::mach_msg2_trap probe.
Malware usage
Anti-debug code uses mach_msg2_trap with task_get_special_port + send-rights forgery to detect ptrace attaches. CrashReporter-spoofing implants impersonate ReportCrash by stealing the exception port through this trap.
Related APIs
MITRE ATT&CK
Last verified: 2026-05-25