Skip to main content

What is syscalls-cpp?

syscalls-cpp is a C++20 policy-based framework for crafting undetectable/protected syscalls on Windows (x86/x64). It provides a modular, compile-time approach to system call invocation that gives you full control over operational security tradeoffs. The core principle is modularity. You are not given a black box; you are given building blocks.

Why syscalls-cpp?

Traditional syscall libraries often provide limited flexibility and can be easily detected by security software. syscalls-cpp addresses these challenges by:
  • Policy-based Design: Mix and match allocation, stub generation, and parsing strategies at compile-time
  • Automatic Resolution: Directly parses ntdll.dll metadata to resolve system call numbers
  • Hook Resilience: Leverages PE structure (exception directory on x64, sorted exports on x86) to bypass user-mode hooks
  • Adjacent Syscall Detection: Can find nearby syscalls if a target is patched
  • Type Safety: Leverages C++20 concepts for compile-time validation
SEC_NO_CHANGE protection demonstration
An attempt to patch a syscall in a SEC_NO_CHANGE protected section fails.

Architecture Overview

The framework is built around three core policy types:

Allocation Policies

Control how memory for syscall stubs is allocated:
PolicyMethodSecurity Level
allocator::sectionNtCreateSection with SEC_NO_CHANGE flagHighest - prevents patching
allocator::heapHeapCreate with HEAP_CREATE_ENABLE_EXECUTEMedium
allocator::memoryNtAllocateVirtualMemory (RWRX)Standard

Stub Generation Policies

Define how syscall instructions are generated:
PolicyMethodPlatform
generator::directClassic self-contained syscall instructionx86/x64
generator::gadgetJumps to syscall; ret gadget in ntdll.dllx64 only
generator::exceptionTriggers breakpoint (ud2) via custom VEHx86/x64

Parsing Policies

Determine how syscall numbers are resolved:
PolicyMethodNotes
parser::directoryMaps exception directory (.pdata) to exports (x64) or sorts Zw* exports (x86)Primary method
parser::signatureScans function prologues with hook detectionFallback with halo gates

Key Features

Compile-time Policy Selection

Choose allocation, generation, and parsing strategies at compile-time for zero runtime overhead

Extensible Design

Create custom policies by implementing simple C++20 concepts

Hook Detection

Automatically detects and bypasses common hooking techniques

Thread-safe

Built-in synchronization for safe concurrent usage

Example Usage

Here’s a simple example of allocating memory using direct syscalls with section-based protection: 
#include <syscalls-cpp/syscall.hpp>

int main() {
    syscall::Manager<
        syscall::policies::allocator::section,
        syscall::policies::generator::direct
    > syscallManager;
    
    if (!syscallManager.initialize()) {
        return 1;
    }
    
    PVOID pBaseAddress = nullptr;
    SIZE_T uSize = 0x1000;
    
    syscallManager.invoke<NTSTATUS>(
        SYSCALL_ID("NtAllocateVirtualMemory"),
        syscall::native::getCurrentProcess(),
        &pBaseAddress,
        0, &uSize,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE
    );
    
    return 0;
}

Next Steps

Installation

Install syscalls-cpp using vcpkg or Conan

Quick Start

Get started with a step-by-step guide

Build docs developers (and LLMs) love

Get started for freeTalk to us