Skip to main content

Overview

SysWhispers4 provides multiple evasion flags that generate additional defensive and anti-analysis capabilities. These options go beyond syscall invocation and SSN resolution to provide comprehensive EDR/AV evasion. All evasion options are boolean flags (no arguments) that can be combined for layered defense.

Quick Reference


--obfuscate

Description

Randomizes stub ordering and injects junk instructions to make static analysis and signature detection more difficult.

Effects

  1. Stub Randomization - Syscall stubs are generated in random order instead of alphabetical
  2. Junk Instructions - Random NOPs, arithmetic operations, and stack adjustments inserted between real instructions
  3. Varied Patterns - Each generation produces different opcode sequences

Usage

Generated Code Comparison

Without obfuscation:
With obfuscation:

Advantages

Breaks static signatures - Different byte patterns each generation
Low overhead - Junk instructions are fast NOPs and arithmetic
Low detection risk - Obfuscation is common in legitimate software
Stacks with other options - Works with all invocation/resolution methods

When to Use

  • You want to evade signature-based detection
  • You’re concerned about static binary analysis
  • You want defense-in-depth
  • Recommended for all stealth configurations

Example


--encrypt-ssn

Description

XOR-encrypts the System Service Numbers (SSNs) at rest in the binary. SSNs are only decrypted at runtime when needed.

How It Works

  1. At generation time, a random XOR key is embedded in the code
  2. All SSN values are XOR-encrypted with this key
  3. At runtime, SW4Initialize() decrypts SSNs before use:

Usage

Generated Code

Advantages

SSNs hidden at rest - Binary doesn’t contain plaintext SSNs
Evades static scanning - AV can’t extract SSNs without running code
Minimal overhead - XOR is very fast
Random key - Each generation uses different key

Disadvantages

⚠️ Requires initialization - Must call SW4Initialize() before syscalls
⚠️ Memory contains plaintext - After decryption, SSNs are in memory

When to Use

  • You’re evading static binary analysis
  • You want to hide SSNs from signature scanners
  • You’re okay with runtime initialization

Example


--stack-spoof

Description

Includes helper functions to create synthetic call stack frames, reducing anomalies that EDRs might detect.

How It Works

EDRs analyze call stacks for suspicious patterns. --stack-spoof generates functions that manipulate the stack to create “normal-looking” return addresses.

Usage

Generated Functions

Example Usage

Call Stack Comparison

Without stack spoofing:
With stack spoofing:

Advantages

Reduces call stack anomalies - Makes stack traces look more legitimate
Configurable - You choose fake return addresses
Works with all invocation methods - Complements indirect/randomized

Disadvantages

⚠️ Manual usage required - You must call helper functions in your code
⚠️ Complex - Requires understanding of stack frames
⚠️ Still detectable - Advanced EDRs may see through simple spoofing

When to Use

  • You’re evading EDRs with call stack profiling
  • You want to blend in with normal execution
  • You’re willing to add helper function calls

Example


--etw-bypass

Description

Generates the SW4PatchEtw() function that patches Event Tracing for Windows (ETW) user-mode event writer to disable telemetry logging.
For authorized testing only. ETW bypass modifies system components and may trigger alerts.

How It Works

ETW is used by Windows and EDRs to log events (e.g., process creation, module loads). SW4PatchEtw() patches EtwEventWrite() in ntdll.dll to return immediately without logging:

Usage

Generated Function

Example Usage

Advantages

Disables telemetry - EDRs lose visibility into your actions
User-mode only - No kernel driver required
Effective - Many EDRs rely on ETW

Disadvantages

Highly suspicious - Patching ntdll is a red flag
May be detected - EDRs monitor for ntdll modifications
Requires write access - Must change memory protection on ntdll

When to Use

  • You’re in a controlled test environment
  • You know the EDR relies on ETW
  • You’re layering multiple evasion techniques
  • Use with caution - High detection risk

Detection Risk

EDRs can detect ETW patching by:
  1. Monitoring VirtualProtect() calls on ntdll
  2. Calculating checksums of ntdll functions
  3. Detecting when ETW stops reporting events

Example


--amsi-bypass

Description

Generates the SW4PatchAmsi() function that patches Antimalware Scan Interface (AMSI) to bypass script and memory scanning.
For authorized testing only. AMSI bypass modifies system components.

How It Works

AMSI is used by Windows Defender and other AVs to scan scripts (PowerShell, JScript) and memory. SW4PatchAmsi() patches AmsiScanBuffer() in amsi.dll to always return “clean”:

Usage

Generated Function

Example Usage

Advantages

Bypasses AV scanning - Windows Defender won’t scan your memory/scripts
Effective - Widely used technique
User-mode only - No kernel access required

Disadvantages

Well-known technique - EDRs specifically monitor AMSI patching
May be detected - Modifying amsi.dll is a red flag
Requires amsi.dll loaded - Target process must have AMSI initialized

When to Use

  • You’re executing PowerShell or .NET payloads
  • You need to bypass Windows Defender memory scanning
  • You’re in a test environment
  • Use with caution - Well-known technique

Detection Risk

EDRs can detect AMSI bypass by:
  1. Monitoring modifications to amsi.dll
  2. Checksumming AmsiScanBuffer()
  3. Hooking VirtualProtect() calls on amsi.dll

Example


--unhook-ntdll

Description

Generates the SW4UnhookNtdll() function that removes userland hooks from ntdll.dll by remapping a clean copy from \KnownDlls or disk.
For authorized testing only. Unhooking ntdll may trigger EDR alerts.

How It Works

  1. Load a clean copy of ntdll.dll from \KnownDlls\ntdll.dll or C:\Windows\System32\ntdll.dll
  2. Copy the clean .text section over the hooked ntdll in memory
  3. Flush instruction cache
  4. All hooks are removed

Usage

Generated Function

Example Usage

Call SW4UnhookNtdll() BEFORE SW4Initialize() for best results. This ensures SSN resolution uses clean ntdll.

Advantages

✅✅ Removes ALL userland hooks - EDR hooks are completely bypassed
Very effective - Works against most EDRs
Clean ntdll - Guaranteed correct function stubs

Disadvantages

Highly suspicious - Remapping ntdll is a major red flag
EDR may detect - Many EDRs monitor ntdll integrity
Requires memory operations - NtMapViewOfSection, VirtualProtect
Complex - Involves PE parsing and memory mapping

When to Use

  • You’re in a heavily hooked environment
  • You need to bypass EDR hooks completely
  • You’re combining with other evasion techniques
  • High risk, high reward

Detection Risk

EDRs can detect unhooking by:
  1. Monitoring NtMapViewOfSection() calls for ntdll
  2. Calculating checksums of ntdll sections
  3. Detecting when hooks stop working
  4. Memory integrity checks

Example


--anti-debug

Description

Generates the SW4AntiDebugCheck() function that detects debuggers using multiple techniques: PEB checks, timing analysis, heap flags, debug ports, and instrumentation callbacks.

How It Works

The function performs several checks:
  1. PEB.BeingDebugged - Checks PEB flag
  2. PEB.NtGlobalFlag - Checks for debugger artifacts
  3. Heap flags - Checks heap for debugger presence
  4. Debug port - Queries NtQueryInformationProcess for debug port
  5. Timing - Measures execution time to detect stepping
  6. Instrumentation callback - Checks for debug callbacks

Usage

Generated Function

Example Usage

Detection Methods

Advantages

Detects common debuggers - x64dbg, WinDbg, OllyDbg, etc.
Multiple checks - Harder to bypass all
Low overhead - Fast checks
Low detection risk - Anti-debug is common in legitimate software

Disadvantages

⚠️ Can be bypassed - Advanced debuggers can hide from these checks
⚠️ False positives - May trigger in some legitimate environments

When to Use

  • You want to prevent analysis/reverse engineering
  • You’re distributing to unknown environments
  • You want defense-in-depth
  • Recommended for production malware simulation

Example


--sleep-encrypt

Description

Generates the SW4SleepEncrypt(ms) function that encrypts the process’s .text section during sleep, then decrypts it upon waking (Ekko-style sleep obfuscation).

How It Works

  1. User calls SW4SleepEncrypt(milliseconds) instead of Sleep()
  2. Function:
    • Encrypts the entire .text section (XOR with random key)
    • Sleeps for the specified duration
    • Decrypts the .text section
    • Returns to caller
  3. During sleep, memory scanners see encrypted (garbage) bytes instead of code

Usage

Generated Function

Example Usage

Implementation

Advantages

Evades memory scanning - Code is encrypted during sleep
Defeats periodic scans - EDR scans see garbage bytes
Transparent - Automatically decrypts on wake
Ekko technique - Modern evasion method

Disadvantages

⚠️ Performance overhead - Encryption/decryption takes time
⚠️ Memory protection changes - VirtualProtect() may trigger alerts
⚠️ Detectable - Pattern of encrypt-sleep-decrypt can be profiled

When to Use

  • You’re sleeping between operations (e.g., C2 beacon)
  • You want to evade periodic memory scans
  • You’re implementing sleep obfuscation
  • Good for long-running implants

Detection Risk

EDRs can detect sleep encryption by:
  1. Monitoring VirtualProtect() patterns (RW → RX)
  2. Detecting timing of protection changes around Sleep()
  3. Memory snapshots before/after sleep

Example


Combining Evasion Options

Compatibility Matrix

All evasion options can be combined. Some work better together:

Maximum Stealth Configuration

Red Team Engagement:
Evading Advanced EDR:
C2 Beacon:
Research/Testing:

Runtime Initialization Order

When using multiple evasion options, initialization order matters:
Critical: Always call SW4UnhookNtdll() before SW4Initialize() for best results.

Detection Risk Summary

  • --obfuscate - Common obfuscation technique
  • --encrypt-ssn - Encrypted data at rest
  • --anti-debug - Legitimate software uses this

Medium Risk (Use with Caution)

  • --stack-spoof - Unusual but not alarming
  • --sleep-encrypt - Modern technique, less known

High Risk (Expect Detection)

  • --etw-bypass - Patching ntdll is a red flag
  • --amsi-bypass - Well-known technique, heavily monitored
  • --unhook-ntdll - Remapping ntdll is highly suspicious

Layered Defense

Combine multiple options to make detection harder:

See Also