Skip to main content

Overview

SysWhispers4 is a command-line tool that generates NT syscall stubs with advanced EDR evasion capabilities. This reference documents all available command-line options and their usage.

Basic Syntax

python syswhispers.py [OPTIONS]
At least one of --preset or --functions is required.

Function Selection

You must specify which NT functions to include in the generated output using one or both of these options:

--preset / -p

Use predefined function sets optimized for common scenarios. Syntax: --preset PRESET[,PRESET,...] Type: String (comma-separated list) Available Presets:
PresetFunctionsDescription
common25General process/thread/memory operations
injection20Process/shellcode injection via APC, threads, sections
evasion15AV/EDR evasion queries and operations
token6Token manipulation
stealth32Maximum evasion: injection + evasion + unhooking
file_ops7File I/O via NT syscalls
transaction7Process doppelganging / transaction rollback
all64All supported functions
Examples: 
# Single preset
python syswhispers.py --preset common

# Multiple presets (functions are merged)
python syswhispers.py --preset injection,evasion

# Short form
python syswhispers.py -p stealth

--functions / -f

Specify individual NT function names. Syntax: --functions FUNC[,FUNC,...] Type: String (comma-separated list) Examples: 
# Single function
python syswhispers.py --functions NtAllocateVirtualMemory

# Multiple functions
python syswhispers.py --functions NtAllocateVirtualMemory,NtCreateThreadEx,NtWriteVirtualMemory

# Short form
python syswhispers.py -f NtAllocateVirtualMemory,NtProtectVirtualMemory
You can combine --preset and --functions to add extra functions to a preset:
python syswhispers.py --preset common --functions NtQueryObject

Target Configuration

--arch / -a

Target processor architecture. Syntax: --arch ARCH Type: Choice Default: x64 Choices:
  • x64 - 64-bit Windows (most common)
  • x86 - 32-bit Windows
  • wow64 - 32-bit process on 64-bit Windows
  • arm64 - ARM64 Windows
Examples: 
# 64-bit (default)
python syswhispers.py --preset common --arch x64

# 32-bit Windows
python syswhispers.py --preset common --arch x86

# WoW64 (32-bit app on 64-bit OS)
python syswhispers.py --preset common --arch wow64

--compiler / -c

Target compiler toolchain. Syntax: --compiler COMPILER Type: Choice Default: msvc Choices:
  • msvc - Microsoft Visual C++ with MASM assembler (generates .asm file)
  • mingw - MinGW with GAS inline assembly
  • clang - Clang with GAS inline assembly
Examples: 
# MSVC (default)
python syswhispers.py --preset common --compiler msvc

# MinGW/GCC
python syswhispers.py --preset common --compiler mingw

# Clang
python syswhispers.py --preset common --compiler clang
MSVC generates a separate .asm file that requires MASM to be enabled in your project.MinGW/Clang use inline assembly in C files. Compile with -masm=intel flag.

Techniques

--method / -m

Syscall invocation method. See Invocation Methods for detailed explanations. Syntax: --method METHOD Type: Choice Default: embedded Choices:
  • embedded - Direct syscall (syscall instruction in your stub)
  • indirect - Jump to syscall;ret gadget in ntdll
  • randomized - Jump to random syscall;ret gadget per call
  • egg - Egg marker replaced at runtime (no static syscall bytes)
Examples: 
# Direct syscall (default)
python syswhispers.py --preset common --method embedded

# Indirect syscall
python syswhispers.py --preset injection --method indirect

# Randomized indirect
python syswhispers.py --preset stealth --method randomized

--resolve / -r

SSN (System Service Number) resolution method. See SSN Resolution Methods for detailed explanations. Syntax: --resolve RESOLVE Type: Choice Default: freshycalls Choices:
  • freshycalls - Sort ntdll exports by address (hook-resistant, default)
  • static - Embed SSNs from j00ru table at generation time
  • hells_gate - Read SSN from ntdll stub (fails if hooked)
  • halos_gate - Hell’s Gate + neighbor scan for hooked functions
  • tartarus - Handles near JMP and far JMP hooks
  • from_disk - Load clean ntdll from KnownDlls (bypasses all hooks)
  • recycled - FreshyCalls + opcode validation (most resilient)
  • hw_breakpoint - Hardware breakpoints + VEH to extract SSN
Examples: 
# FreshyCalls (default, recommended)
python syswhispers.py --preset common --resolve freshycalls

# Static resolution
python syswhispers.py --preset common --resolve static

# RecycledGate (most resilient)
python syswhispers.py --preset stealth --resolve recycled

# Load from disk (bypasses all hooks)
python syswhispers.py --preset injection --resolve from_disk

Evasion Options

See Evasion Options for detailed explanations of each technique.

--obfuscate

Randomize stub ordering and inject junk instructions. Type: Boolean flag Default: false Effect: Makes static analysis and signature detection harder. Example: 
python syswhispers.py --preset common --obfuscate

--encrypt-ssn

XOR-encrypt SSN values at rest (decrypted at runtime). Type: Boolean flag Default: false Effect: SSNs are encrypted in the binary and only decrypted when needed. Example: 
python syswhispers.py --preset injection --encrypt-ssn

--stack-spoof

Include synthetic call stack frame helper. Type: Boolean flag Default: false Effect: Reduces call stack anomalies that EDRs might detect. Example: 
python syswhispers.py --preset stealth --stack-spoof

--etw-bypass

Include user-mode ETW writer patch. Type: Boolean flag Default: false Effect: Generates SW4PatchEtw() function to disable ETW event logging. Example: 
python syswhispers.py --preset stealth --etw-bypass
ETW bypass is for authorized testing only. Use responsibly.

--amsi-bypass

Include AMSI bypass (patches AmsiScanBuffer). Type: Boolean flag Default: false Effect: Generates SW4PatchAmsi() function to bypass AMSI scanning. Example: 
python syswhispers.py --preset stealth --amsi-bypass

--unhook-ntdll

Include ntdll unhooking (remaps clean .text from KnownDlls). Type: Boolean flag Default: false Effect: Generates SW4UnhookNtdll() function to remove userland hooks. Example: 
python syswhispers.py --preset stealth --unhook-ntdll
Call SW4UnhookNtdll() before SW4Initialize() for best results.

--anti-debug

Include anti-debugging checks. Type: Boolean flag Default: false Effect: Generates SW4AntiDebugCheck() function that detects debuggers using PEB, timing, heap flags, and debug port checks. Example: 
python syswhispers.py --preset stealth --anti-debug

--sleep-encrypt

Include sleep encryption (Ekko-style XOR .text during sleep). Type: Boolean flag Default: false Effect: Generates SW4SleepEncrypt(ms) function that encrypts memory during sleep. Example: 
python syswhispers.py --preset stealth --sleep-encrypt

Output Options

--prefix

Prefix for all generated identifiers. Syntax: --prefix PREFIX Type: String Default: SW4 Effect: All function names, types, and macros use this prefix. Examples: 
# Default (SW4_)
python syswhispers.py --preset common
# Generates: SW4_NtAllocateVirtualMemory, SW4Initialize, etc.

# Custom prefix
python syswhispers.py --preset common --prefix MyApp
# Generates: MyApp_NtAllocateVirtualMemory, MyAppInitialize, etc.

--out-file / -o

Output filename base (without extension). Syntax: --out-file OUTFILE Type: String Default: <PREFIX>Syscalls (e.g., SW4Syscalls) Examples: 
# Default naming
python syswhispers.py --preset common
# Generates: SW4Syscalls.h, SW4Syscalls.c, SW4Syscalls.asm, SW4Syscalls_Types.h

# Custom basename
python syswhispers.py --preset common --out-file MySyscalls
# Generates: MySyscalls.h, MySyscalls.c, MySyscalls.asm, MySyscalls_Types.h

--out-dir

Output directory for generated files. Syntax: --out-dir OUTDIR Type: Path Default: . (current directory) Examples: 
# Current directory (default)
python syswhispers.py --preset common

# Specific directory
python syswhispers.py --preset common --out-dir ./src/syscalls

# Absolute path
python syswhispers.py --preset common --out-dir /home/user/project/include

--syscall-table

Path to custom syscall table JSON (for --resolve static). Syntax: --syscall-table PATH Type: Path Default: data/syscalls_nt_x64.json (bundled) Examples: 
# Use bundled table (default)
python syswhispers.py --preset common --resolve static

# Use custom table
python syswhispers.py --preset common --resolve static --syscall-table ./my_syscalls.json
This option only affects --resolve static. Run scripts/update_syscall_table.py to update the bundled table from j00ru’s repository.

Utility Options

--verbose / -v

Enable verbose output. Type: Boolean flag Default: false Effect: Prints detailed information during generation, including stack traces on errors. Example: 
python syswhispers.py --preset common --verbose

--list-functions

Print all available function names and exit. Type: Boolean flag Examples: 
python syswhispers.py --list-functions
Sample output: 
Available functions (62):
  NtAllocateVirtualMemory (5 params)
  NtCreateThreadEx (11 params)
  NtWriteVirtualMemory (5 params)
  ...

--list-presets

Print all available presets and exit. Type: Boolean flag Examples: 
python syswhispers.py --list-presets
Sample output: 
Available presets:
  common         -- Common functions for process/thread/memory operations
                 (25 functions: NtAllocateVirtualMemory, NtFreeVirtualMemory, ...)
  injection      -- Functions for process/shellcode injection
                 (20 functions: NtAllocateVirtualMemory, NtCreateThreadEx, ...)
  ...

Complete Examples

Basic Usage

# Generate common functions with defaults
python syswhispers.py --preset common

Stealth Configuration

# Maximum evasion with all techniques
python syswhispers.py --preset stealth \
  --method randomized \
  --resolve recycled \
  --obfuscate \
  --encrypt-ssn \
  --stack-spoof \
  --etw-bypass \
  --amsi-bypass \
  --unhook-ntdll \
  --anti-debug \
  --sleep-encrypt

Custom Function Set

# Specific functions with indirect syscalls
python syswhispers.py \
  --functions NtAllocateVirtualMemory,NtCreateThreadEx,NtWriteVirtualMemory \
  --method indirect \
  --resolve from_disk \
  --obfuscate

Cross-Platform

# MinGW with indirect syscalls
python syswhispers.py --preset injection \
  --compiler mingw \
  --method indirect \
  --resolve freshycalls

Custom Output

# Custom prefix and output location
python syswhispers.py --preset common \
  --prefix MyApp \
  --out-file Syscalls \
  --out-dir ./src/native

Quick Reference Table

OptionShortTypeDefaultDescription
--preset-pStringNonePreset function set
--functions-fStringNoneComma-separated function list
--arch-aChoicex64Target architecture
--compiler-cChoicemsvcCompiler toolchain
--method-mChoiceembeddedInvocation method
--resolve-rChoicefreshycallsSSN resolution method
--obfuscateFlagfalseRandomize and obfuscate
--encrypt-ssnFlagfalseXOR-encrypt SSNs
--stack-spoofFlagfalseSpoof call stack
--etw-bypassFlagfalseInclude ETW bypass
--amsi-bypassFlagfalseInclude AMSI bypass
--unhook-ntdllFlagfalseInclude ntdll unhooking
--anti-debugFlagfalseInclude anti-debug checks
--sleep-encryptFlagfalseInclude sleep encryption
--syscall-tablePathdata/...Custom syscall table
--prefixStringSW4Identifier prefix
--out-file-oString<PREFIX>SyscallsOutput basename
--out-dirPath.Output directory
--verbose-vFlagfalseVerbose output
--list-functionsFlagfalseList functions and exit
--list-presetsFlagfalseList presets and exit

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us