Skip to main content

Overview

Before using any SysWhispers4 syscall functions, you must initialize the SSN (System Call Number) resolution mechanism using SW4_Initialize().

SW4_Initialize

Resolves system call numbers for all generated NT functions using your chosen resolution method.

Returns

  • TRUE — Successfully resolved all SSNs
  • FALSE — Failed to resolve one or more SSNs

Description

This function performs the following based on your --resolve method:

Usage

When to Call

Call order matters! For best results:
  1. SW4_UnhookNtdll() (if using --unhook-ntdll) — removes hooks from ntdll
  2. SW4_Initialize() — resolves SSNs from now-clean ntdll
  3. SW4_PatchEtw() / SW4_PatchAmsi() (if using bypass features)
Example with unhooking:

Thread Safety

SW4_Initialize() is not thread-safe. Call it exactly once from your main thread before creating additional threads.

Performance

SW4_HatchEggs

Only generated when using --method egg Replaces 8-byte egg markers in syscall stubs with actual syscall instructions at runtime.

Description

When using egg hunt invocation (--method egg):
  1. Syscall stubs contain random 8-byte markers instead of syscall (0F 05) on disk
  2. SW4_HatchEggs() scans the .text section for these markers
  3. Replaces each egg with 0F 05 90 90 90 90 90 90 (syscall + NOPs)
  4. Adjusts memory protection as needed
Result: No syscall opcode appears in the binary on disk.

Usage

When to Use

Egg hunt is useful when:
  • Static analysis tools flag syscall opcodes in your binary
  • You want to pass initial file scanning without triggering alerts
  • Combined with other obfuscation techniques
Egg hunt provides disk-time obfuscation only. Once hatched in memory, the syscall opcodes are visible to memory scanners.

Initialization Examples

Example 1: Minimal Setup (FreshyCalls)

Example 2: Maximum Evasion Setup

Example 3: Egg Hunt + Static SSNs

Example 4: Hardware Breakpoint Resolution

Troubleshooting

SW4_Initialize() Returns FALSE

Possible causes:
  1. Ntdll is heavily hooked — Try --resolve from_disk or --resolve recycled
  2. Wrong architecture — Ensure you’re running x64 code on x64 Windows (or x86 on x86)
  3. Corrupted ntdll — Some packers/protectors modify ntdll structure
  4. Debug build on production Windows — SSN table may not match your Windows version
Solutions:

Crashes During Initialize

  • Check privileges: Some resolution methods (e.g., from_disk) require reading \KnownDlls\
  • SEH/VEH conflicts: If using hw_breakpoint, ensure no other VEH handlers conflict
  • Memory corruption: Verify your compiler settings (MASM build customizations for MSVC)

Next Steps

Memory Functions

Allocate, read, write, and protect memory via syscalls

Evasion Helpers

SW4_PatchEtw, SW4_PatchAmsi, SW4_UnhookNtdll