Overview
Before using any SysWhispers4 syscall functions, you must initialize the SSN (System Call Number) resolution mechanism usingSW4_Initialize().
SW4_Initialize
Resolves system call numbers for all generated NT functions using your chosen resolution method.Returns
TRUE— Successfully resolved all SSNsFALSE— Failed to resolve one or more SSNs
Description
This function performs the following based on your--resolve method:
Usage
When to Call
Example with unhooking:Thread Safety
Performance
SW4_HatchEggs
Only generated when using--method egg
Replaces 8-byte egg markers in syscall stubs with actual syscall instructions at runtime.
Description
When using egg hunt invocation (--method egg):
- Syscall stubs contain random 8-byte markers instead of
syscall(0F 05) on disk SW4_HatchEggs()scans the.textsection for these markers- Replaces each egg with
0F 05 90 90 90 90 90 90(syscall + NOPs) - Adjusts memory protection as needed
syscall opcode appears in the binary on disk.
Usage
When to Use
Egg hunt is useful when:- Static analysis tools flag
syscallopcodes in your binary - You want to pass initial file scanning without triggering alerts
- Combined with other obfuscation techniques
Egg hunt provides disk-time obfuscation only. Once hatched in memory, the
syscall opcodes are visible to memory scanners.Initialization Examples
Example 1: Minimal Setup (FreshyCalls)
Example 2: Maximum Evasion Setup
Example 3: Egg Hunt + Static SSNs
Example 4: Hardware Breakpoint Resolution
Troubleshooting
SW4_Initialize() Returns FALSE
Possible causes:- Ntdll is heavily hooked — Try
--resolve from_diskor--resolve recycled - Wrong architecture — Ensure you’re running x64 code on x64 Windows (or x86 on x86)
- Corrupted ntdll — Some packers/protectors modify ntdll structure
- Debug build on production Windows — SSN table may not match your Windows version
Crashes During Initialize
- Check privileges: Some resolution methods (e.g.,
from_disk) require reading\KnownDlls\ - SEH/VEH conflicts: If using
hw_breakpoint, ensure no other VEH handlers conflict - Memory corruption: Verify your compiler settings (MASM build customizations for MSVC)
Next Steps
Memory Functions
Allocate, read, write, and protect memory via syscalls
Evasion Helpers
SW4_PatchEtw, SW4_PatchAmsi, SW4_UnhookNtdll
