Skip to main content

Overview

SysWhispers4 offers 8 SSN resolution methods, 4 invocation techniques, and 8 evasion options. This guide provides proven configurations for common scenarios.

Quick Reference


Red Team (Maximum Evasion)

Use Case

  • Long-term persistent access
  • Bypass modern EDR (CrowdStrike, SentinelOne, Defender ATP)
  • Avoid behavioral detection heuristics
  • Red team assessments with strict rules of engagement

Configuration

What It Does

Integration Example

Build (MSVC)


Bypassing Heavily Hooked EDR

Use Case

  • CrowdStrike Falcon hooks every Nt* function
  • SentinelOne deep instrumentation
  • Multiple security products on same endpoint
  • Need guaranteed clean SSN resolution

Configuration

Why This Works

Problem: EDR hooks every Nt* stub in the loaded ntdll:
Solution: --resolve from_disk maps a clean copy from \KnownDlls\ntdll.dll:
The EDR never sees our SSN reads because we’re reading from an unhooked disk copy.

Integration


CTF / Quick Testing

Use Case

  • Capture The Flag competitions
  • Local privilege escalation testing
  • Quick prototyping
  • Learning syscall techniques

Configuration

What You Get

  • 25 functions: Process/thread/memory operations
  • Default resolver: FreshyCalls (sort-by-VA, works on most systems)
  • Default method: Embedded direct syscall (fastest)
  • No evasion overhead: Clean, minimal code

Functions Included

Build (MinGW)


Static Analysis Evasion

Use Case

  • Bypass sandbox static analysis
  • Evade AV signature scans
  • Submit to VirusTotal without immediate detection
  • Avoid on-disk syscall opcode signatures

Configuration

How It Works

At compile time:
At runtime:
Result: syscall opcode never appears in the on-disk binary.

Integration

Verification


Process Injection

Use Case

  • Shellcode injection
  • APC injection
  • Section-based injection
  • Thread hijacking

Configuration

Functions Included

Classic Injection Example


Token Manipulation

Use Case

  • Privilege escalation
  • Token impersonation
  • SeDebugPrivilege enablement
  • SYSTEM token theft

Configuration

Enable SeDebugPrivilege

Token Impersonation


Process Doppelganging

Use Case

  • Execute code without creating suspicious process create events
  • Bypass application whitelisting
  • Evade process creation monitoring

Configuration

Functions Included

Basic Flow


Architecture-Specific Configs

ARM64 (Windows on ARM)

Generates ARM64 assembly using SVC #0 instruction with syscall number in w8 register.

x86 (32-bit)

Uses sysenter instruction instead of syscall.

WoW64 (32-bit on 64-bit Windows)

Implements Heaven’s Gate transition to execute 64-bit syscalls from 32-bit code.

Compiler-Specific Builds

MSVC (Default)

Requires MASM enabled in Visual Studio: Project → Build Customizations → masm

MinGW

Uses GAS inline assembly instead of separate .asm file.

Clang


Performance Comparison

Times measured on Intel i7-10700K @ 3.8GHz, Windows 11 23H2. Your mileage may vary.

Next Steps