Skip to main content

Overview

SysWhispers4 is a Python-based syscall stub generator that produces C/ASM code for invoking NT kernel functions directly, bypassing user-mode hooks placed by AV/EDR products on ntdll.dll.
SysWhispers4 supports Windows NT 3.1 through Windows 11 24H2 across x64, x86, WoW64, and ARM64 architectures.

Why SysWhispers4?

Modern endpoint security products (AV/EDR) monitor suspicious API calls by placing hooks in user-mode libraries like ntdll.dll. When your program calls functions like VirtualAllocEx or CreateRemoteThread, the EDR intercepts these calls before they reach the kernel. SysWhispers4 bypasses these hooks by:
  • Generating syscall stubs that invoke NT functions directly via the syscall instruction
  • Never calling through hooked ntdll.dll functions
  • Providing 8 different SSN (System Service Number) resolution methods to handle various EDR hooking strategies
  • Offering 4 invocation techniques to evade detection at the syscall boundary

Key Capabilities

8 SSN Resolution Methods

From simple static tables to advanced hardware breakpoint extraction — bypass any hook

4 Invocation Techniques

Direct, indirect, randomized, and egg hunt methods to evade RIP-based detection

8 Evasion Features

ETW/AMSI bypass, ntdll unhooking, anti-debug, sleep encryption, and more

64 NT Functions

Comprehensive coverage of memory, process, thread, file, and token operations

Evolution: SysWhispers 1 → 4

SysWhispers4 builds on the lineage of:

Major Improvements in v4

1

New SSN Resolution Methods

  • SyscallsFromDisk: Maps clean ntdll from \KnownDlls — bypasses ALL hooks
  • RecycledGate: Combines FreshyCalls + opcode validation for maximum resilience
  • HW Breakpoint: Uses debug registers (DR0-DR3) + VEH to extract SSNs
  • Static + dynamic fallback: Hybrid approach for reliability
2

ARM64 Architecture Support

Full support for Windows on ARM using svc #0 instruction and w8 register for SSN
3

Advanced Evasion Techniques

  • AMSI bypass (patches AmsiScanBuffer)
  • ntdll unhooking (remap clean .text from KnownDlls)
  • Anti-debugging (6 detection checks)
  • Sleep encryption (Ekko-style memory XOR during sleep)
  • Junk instruction injection (14 variants)
  • Stack spoofing (synthetic return addresses)
4

Fixed Randomized Indirect Bug

SW3’s randomized method had a register-corruption bug where RDTSC overwrites edx (arg2). SW4 correctly saves rdx → r11 before rdtsc and restores it without touching the stack.

How It Works

1

Generate Syscall Stubs

Run SysWhispers4 to generate C/ASM files containing syscall stubs for your chosen NT functions.
python syswhispers.py --preset common --method indirect --resolve freshycalls
2

Integrate Into Your Project

Add the generated files to your Visual Studio, MinGW, or Clang project. For MSVC, enable MASM support.
3

Initialize at Runtime

Call SW4_Initialize() to resolve syscall numbers using your chosen technique (FreshyCalls, Hell’s Gate, etc.)
4

Use NT Functions Directly

Call generated functions like SW4_NtAllocateVirtualMemory() — they bypass all user-mode hooks and invoke the kernel directly.

Architecture Overview

Your Application

  SW4_NtAllocateVirtualMemory()  ← Generated stub

  mov r10, rcx                    ← Setup syscall ABI
  mov eax, [SSN]                  ← Load syscall number
  syscall                          ← Direct kernel entry

  Windows Kernel (ntoskrnl.exe)

  Memory allocation performed
Traditional API call path (hooked by EDR):
Your App → VirtualAllocEx → kernel32.dll → ntdll.dll (HOOKED) → kernel
SysWhispers4 path (bypasses hooks):
Your App → SW4_NtAllocateVirtualMemory → syscall → kernel

Feature Comparison

FeatureSW1SW2SW3SW4
SSN Resolution
Static embedded table
Hell’s Gate
Halo’s Gate
Tartarus’ GatePartial
FreshyCalls
SyscallsFromDisk
RecycledGate
HW Breakpoint
Invocation
Embedded (direct)
Indirect
RandomizedBuggy✅ Fixed
Egg hunt
Architecture
x64
x86
WoW64
ARM64
Compilers
MSVC (MASM)
MinGW/GCC
Clang
Evasion
Function hashing✅ (DJB2)
Junk injection✅ (14 variants)
XOR SSN encryption
Stack spoofing
ETW/AMSI bypass
ntdll unhooking
Anti-debugging
Sleep encryption
Coverage
Supported functions~12~12~3564
Windows 11 24H2Partial
Server 2022/2025

Use Cases

Security Notice: SysWhispers4 is a security research and authorized penetration testing tool. Use only:
  • On systems you own or have explicit written authorization to test
  • In CTF competitions
  • For defensive research (understanding offensive techniques to improve detection)
  • For developing security product signatures
Unauthorized use is illegal in most jurisdictions.

Legitimate Applications

Red Team Operations

Authorized penetration testing and adversary simulation exercises

EDR Testing

Validate detection capabilities of endpoint security products

Security Research

Study syscall-based evasion techniques for defensive improvements

CTF Competitions

Capture-the-flag challenges requiring Windows exploitation

What’s Next?

Ready to get started? Follow the Installation guide to set up your environment, then jump to the Quick Start to generate your first syscall stubs.

Build docs developers (and LLMs) love

Get started for freeTalk to us