Skip to main content

SysWhispers4

Python-based syscall stub generator for Windows AV/EDR evasion via direct and indirect system calls

Windows NT 3.1 through Windows 11 24H2 · x64 · x86 · WoW64 · ARM64

What is SysWhispers4?

SysWhispers4 is a command-line tool that generates C/ASM code for invoking Windows NT kernel functions directly through syscalls, bypassing user-mode hooks placed by AV/EDR products on ntdll.dll. It builds on the legacy of SysWhispers 1-3 with the most comprehensive set of SSN resolution strategies, invocation methods, and evasion capabilities to date.

Quick Start

Get up and running in minutes with basic syscall generation

Installation

Install SysWhispers4 and its dependencies

Command Reference

Complete CLI command documentation

API Reference

Generated C API functions and integration

Key Features

8 SSN Resolution Methods

Static, FreshyCalls, Hell’s Gate, Halo’s Gate, Tartarus’ Gate, SyscallsFromDisk, RecycledGate, and HW Breakpoint

4 Invocation Methods

Embedded (direct), Indirect, Randomized Indirect, and Egg Hunt

Multi-Architecture Support

x64, x86, WoW64, and ARM64 with full compiler support (MSVC, MinGW, Clang)

Advanced Evasion

XOR-encrypted SSNs, call stack spoofing, sleep encryption, ETW/AMSI bypass, and anti-debugging

Core Concepts

SSN Resolution

Learn how syscall numbers are resolved at runtime

Invocation Methods

Understand different ways to execute syscalls

Evasion Techniques

Explore techniques to evade AV/EDR detection

Quick Example

Integration Example

For authorized security testing only. Use SysWhispers4 only on systems you own or have explicit written authorization to test. Unauthorized use is illegal in most jurisdictions.