Skip to main content

What is SSN Resolution?

System Service Numbers (SSNs) are the numeric identifiers that Windows uses to route syscalls to the correct kernel function. Each NT function has a unique SSN that can vary across Windows versions. When your code executes a syscall, the SSN must be placed in the eax register (or w8 on ARM64) before the syscall instruction: 
mov eax, 0x18          ; SSN for NtAllocateVirtualMemory (Win10 x64)
syscall                ; Kernel entry with SSN in eax
SSN resolution is the process of determining the correct SSN value for each NT function at compile time or runtime.
SSNs change between Windows versions. NtAllocateVirtualMemory is 0x18 on Windows 10 21H2, but 0x16 on Windows 7 SP1.

Why Multiple Resolution Methods?

AV/EDR products place inline hooks on NT functions in ntdll.dll to monitor syscalls. Different resolution techniques vary in their ability to extract SSNs from hooked environments:
  • Static methods embed SSN tables at generation time — fast but detectable
  • Dynamic methods extract SSNs from ntdll at runtime — resistant to hooks but slower
  • Advanced methods use techniques like hardware breakpoints or clean disk copies — maximum evasion

Available Methods

SysWhispers4 provides 8 different SSN resolution strategies, each with different tradeoffs:

Static

Embedded j00ru table. Fastest, no runtime parsing. Low stealth.

Hell's Gate

Read SSN from opcode bytes. Fast but fails when hooked.

Halo's Gate

Neighbor scan (±8 stubs) when target is hooked.

Tartarus' Gate

Detects E9/FF25/EB/CC hooks. Scans ±16 neighbors.

FreshyCalls

Sort by VA — doesn’t read function bytes. Default method.

SyscallsFromDisk

Maps clean ntdll from \KnownDlls\. Bypasses ALL hooks.

RecycledGate

FreshyCalls + opcode validation. Most resilient.

HW Breakpoint

Debug registers + VEH. Captures SSN at execution.

Quick Comparison

MethodHook ResistanceSpeedStealthUse Case
StaticNoneFastestLowQuick testing, CTF
Hell’s GateLowFastMediumLightly-hooked environments
Halo’s GateMediumFastMediumModerate EDR presence
Tartarus’ GateHighFastHighHeavily-hooked EDR
FreshyCallsVery HighMediumHighRecommended default
SyscallsFromDiskMaximumSlowVery HighMaximum evasion
RecycledGateMaximumMediumVery HighProduction red team ops
HW BreakpointMaximumSlowVery HighAdvanced analysis evasion
Recommended: Start with --resolve freshycalls (the default). Upgrade to recycled or from_disk if you encounter advanced EDR products.

Choosing the Right Method

For Quick Testing / CTF

python syswhispers.py --preset common --resolve static
Embedded table, no runtime overhead.

For Standard Red Team Operations

python syswhispers.py --preset injection --resolve freshycalls
Default method. Excellent hook resistance, fast runtime.

For Heavily-Hooked Environments

python syswhispers.py --preset stealth --resolve recycled
Double-validation (VA-sort + opcode check) ensures correct SSNs.

For Maximum Evasion

python syswhispers.py --preset stealth --resolve from_disk --unhook-ntdll
Maps clean ntdll from disk, completely bypassing all inline hooks.

Runtime Initialization

Dynamic resolution methods require calling SW4_Initialize() at startup: 
#include "SW4Syscalls.h"

int main(void) {
    // Resolve SSNs at runtime
    if (!SW4_Initialize()) {
        // Failed to resolve SSNs
        return 1;
    }

    // SSNs are now resolved — safe to call syscalls
    PVOID base = NULL;
    SIZE_T size = 0x1000;
    SW4_NtAllocateVirtualMemory(
        GetCurrentProcess(), &base, 0, &size,
        MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE
    );

    return 0;
}
Static resolution (--resolve static) does not require SW4_Initialize() — SSNs are embedded at compile time.

Learn More

Detailed Method Reference

Complete documentation for all 8 resolution methods with usage examples.

FreshyCalls Deep Dive

In-depth explanation of the sort-by-VA technique and why it works.

RecycledGate Analysis

How RecycledGate combines multiple techniques for maximum reliability.

Hardware Breakpoint Method

Advanced VEH-based SSN extraction using debug registers.

Build docs developers (and LLMs) love

Get started for freeTalk to us