Overview
SysWhispers4 offers 8 SSN resolution methods, 4 invocation techniques, and 8 evasion options. This guide provides proven configurations for common scenarios.Quick Reference
Red Team (Maximum Evasion)
Use Case
- Long-term persistent access
- Bypass modern EDR (CrowdStrike, SentinelOne, Defender ATP)
- Avoid behavioral detection heuristics
- Red team assessments with strict rules of engagement
Configuration
What It Does
Integration Example
Build (MSVC)
Bypassing Heavily Hooked EDR
Use Case
- CrowdStrike Falcon hooks every
Nt*function - SentinelOne deep instrumentation
- Multiple security products on same endpoint
- Need guaranteed clean SSN resolution
Configuration
Why This Works
Problem: EDR hooks everyNt* stub in the loaded ntdll:
--resolve from_disk maps a clean copy from \KnownDlls\ntdll.dll:
Integration
CTF / Quick Testing
Use Case
- Capture The Flag competitions
- Local privilege escalation testing
- Quick prototyping
- Learning syscall techniques
Configuration
What You Get
- 25 functions: Process/thread/memory operations
- Default resolver: FreshyCalls (sort-by-VA, works on most systems)
- Default method: Embedded direct syscall (fastest)
- No evasion overhead: Clean, minimal code
Functions Included
Build (MinGW)
Static Analysis Evasion
Use Case
- Bypass sandbox static analysis
- Evade AV signature scans
- Submit to VirusTotal without immediate detection
- Avoid on-disk
syscallopcode signatures
Configuration
How It Works
At compile time:syscall opcode never appears in the on-disk binary.
Integration
Verification
Process Injection
Use Case
- Shellcode injection
- APC injection
- Section-based injection
- Thread hijacking
Configuration
Functions Included
Classic Injection Example
Token Manipulation
Use Case
- Privilege escalation
- Token impersonation
- SeDebugPrivilege enablement
- SYSTEM token theft
Configuration
Enable SeDebugPrivilege
Token Impersonation
Process Doppelganging
Use Case
- Execute code without creating suspicious process create events
- Bypass application whitelisting
- Evade process creation monitoring
Configuration
Functions Included
Basic Flow
Architecture-Specific Configs
ARM64 (Windows on ARM)
SVC #0 instruction with syscall number in w8 register.
x86 (32-bit)
sysenter instruction instead of syscall.
WoW64 (32-bit on 64-bit Windows)
Compiler-Specific Builds
MSVC (Default)
MinGW
.asm file.
Clang
Performance Comparison
Times measured on Intel i7-10700K @ 3.8GHz, Windows 11 23H2. Your mileage may vary.
Next Steps
- EDR Detection Vectors - Understand what each method evades
- ETW-Ti Limitations - Learn kernel-level detection boundaries
- Syscall Table Updates - Keep tables current with j00ru’s repo
