Skip to main content

SysWhispers4

Python-based syscall stub generator for Windows AV/EDR evasion via direct and indirect system calls

Windows NT 3.1 through Windows 11 24H2 · x64 · x86 · WoW64 · ARM64

What is SysWhispers4?

SysWhispers4 is a command-line tool that generates C/ASM code for invoking Windows NT kernel functions directly through syscalls, bypassing user-mode hooks placed by AV/EDR products on ntdll.dll. It builds on the legacy of SysWhispers 1-3 with the most comprehensive set of SSN resolution strategies, invocation methods, and evasion capabilities to date.

Quick Start

Get up and running in minutes with basic syscall generation

Installation

Install SysWhispers4 and its dependencies

Command Reference

Complete CLI command documentation

API Reference

Generated C API functions and integration

Key Features

8 SSN Resolution Methods

Static, FreshyCalls, Hell’s Gate, Halo’s Gate, Tartarus’ Gate, SyscallsFromDisk, RecycledGate, and HW Breakpoint

4 Invocation Methods

Embedded (direct), Indirect, Randomized Indirect, and Egg Hunt

Multi-Architecture Support

x64, x86, WoW64, and ARM64 with full compiler support (MSVC, MinGW, Clang)

Advanced Evasion

XOR-encrypted SSNs, call stack spoofing, sleep encryption, ETW/AMSI bypass, and anti-debugging

Core Concepts

SSN Resolution

Learn how syscall numbers are resolved at runtime

Invocation Methods

Understand different ways to execute syscalls

Evasion Techniques

Explore techniques to evade AV/EDR detection

Quick Example

# Generate common syscalls with FreshyCalls resolution
python syswhispers.py --preset common

# Maximum evasion configuration
python syswhispers.py --preset stealth \
    --method randomized --resolve recycled \
    --obfuscate --encrypt-ssn --stack-spoof \
    --etw-bypass --amsi-bypass --unhook-ntdll \
    --anti-debug --sleep-encrypt

Integration Example

#include "SW4Syscalls.h"

int main(void) {
    // Initialize SSN resolution
    if (!SW4_Initialize()) return 1;

    // Use NT functions directly via syscall
    PVOID base = NULL;
    SIZE_T size = 0x1000;
    NTSTATUS st = SW4_NtAllocateVirtualMemory(
        GetCurrentProcess(), &base, 0, &size,
        MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE
    );

    return NT_SUCCESS(st) ? 0 : 1;
}
For authorized security testing only. Use SysWhispers4 only on systems you own or have explicit written authorization to test. Unauthorized use is illegal in most jurisdictions.

Build docs developers (and LLMs) love

Get started for freeTalk to us