Skip to main content

Overview

The System Service Number (SSN) is a unique identifier for each NT kernel service. When making a syscall, the CPU needs to know which kernel function to invoke, and the SSN serves as this index. SysWhispers4 supports 8 different methods for resolving SSNs at generation time or runtime. Each method offers different tradeoffs between:
  • Reliability - Works even when ntdll is hooked by EDR
  • Stealth - Avoids detection by behavioral analysis
  • Performance - Speed of resolution
  • Portability - Works across Windows versions
Use the --resolve flag to select a method.

Method Comparison

Recommended: Use freshycalls (default) for most scenarios, or recycled for maximum reliability.

Static

Description

Embeds SSNs directly into the generated code at generation time using a pre-built table from j00ru’s Windows syscall table.

How It Works

  1. During generation, SysWhispers4 reads data/syscalls_nt_x64.json
  2. SSNs for each Windows build are embedded as constants in the generated assembly
  3. At runtime, the correct SSN is selected based on ntdll.dll version number

Usage

Advantages

Instant resolution - No runtime overhead
No ntdll interaction - Doesn’t need to parse ntdll
Simple implementation - Just a lookup table

Disadvantages

Not hook-resistant - EDR hooks still affect the syscall itself
Requires updates - New Windows builds need table updates
Larger binary - Embeds multiple SSNs per function (one per Windows version)

When to Use

  • You know the exact target Windows version
  • You update the syscall table regularly with scripts/update_syscall_table.py
  • You want zero runtime overhead
  • You’re not concerned about EDR hooks

Example Output

Custom Syscall Table

You can provide your own syscall table:
Run python scripts/update_syscall_table.py to fetch the latest SSN table from j00ru’s repository.

FreshyCalls (Default)

Description

FreshyCalls sorts all Nt* exports from ntdll by their virtual address (VA). Since Windows allocates SSNs sequentially as functions are added to ntdll, sorting by address effectively reconstructs the SSN order.

How It Works

  1. At runtime, enumerate all exports from ntdll.dll starting with “Nt” or “Zw”
  2. Sort them by their virtual address (RVA)
  3. The index in the sorted list = SSN

Usage

This is the default if you don’t specify --resolve.

Advantages

Hook-resistant - Doesn’t read ntdll function bodies, so inline hooks don’t break it
Version-agnostic - Works on all Windows versions automatically
Fast - Simple sort operation
Widely used - Battle-tested technique

Disadvantages

⚠️ EDR visibility - Walking ntdll exports may trigger heuristics
⚠️ Assumption-based - Relies on Microsoft’s internal SSN allocation order

When to Use

  • You need hook resistance
  • You want to support multiple Windows versions without updates
  • You’re okay with some EDR visibility (export walking is common)
  • Recommended as default

Example Code

References


Hell’s Gate

Description

Hell’s Gate reads the SSN directly from the function stub in ntdll by parsing the machine code of the target function.

How It Works

  1. Resolve the address of the target NT function (e.g., NtAllocateVirtualMemory) in ntdll
  2. Read the first few bytes of the function
  3. Parse the mov eax, <SSN> instruction (opcodes: 4C 8B D1 B8 ?? 00 00 00)
  4. Extract the SSN from the instruction bytes

Usage

Advantages

Fast - Simple memory read
Accurate - Reads actual SSN from ntdll
Simple - Easy to understand and implement

Disadvantages

Fails if hooked - If EDR patches the function prologue, SSN extraction fails
Not resilient - Single point of failure
⚠️ Signature-prone - Opcode pattern matching is a known technique

When to Use

  • You’re in an unhooked environment
  • You need fast SSN resolution
  • You want simplicity over resilience

Example Code

Typical Syscall Stub

References


Halo’s Gate

Description

Halo’s Gate extends Hell’s Gate by scanning neighboring functions when the target function is hooked. It assumes that adjacent functions (by address) are likely unhooked and can be used to calculate the target SSN.

How It Works

  1. Try Hell’s Gate on the target function
  2. If the function is hooked (prologue is modified):
    • Scan downward (higher addresses) to find an unhooked Nt* function
    • Read its SSN
    • Calculate the target SSN by adding/subtracting the address offset

Usage

Advantages

More resilient than Hell’s Gate - Can handle some hooked functions
Automatic fallback - Scans neighbors if target is hooked
Version-agnostic - Works across Windows versions

Disadvantages

⚠️ Fails if neighbors are hooked - EDRs may hook multiple adjacent functions
⚠️ Assumption-based - Relies on SSN being sequential (usually true)
⚠️ Slower - Needs to scan multiple functions

When to Use

  • You expect some functions to be hooked
  • You need better reliability than Hell’s Gate
  • You’re okay with some scanning overhead

Example Code

References


Tartarus’ Gate

Description

Tartarus’ Gate is an evolution of Halo’s Gate that can handle both near JMP (E9) and far JMP (FF 25) hooks by following the jump to find the real function.

How It Works

  1. Check if the function starts with a JMP instruction:
    • E9 (near JMP, relative offset)
    • FF 25 (far JMP, indirect through memory)
  2. If hooked, follow the jump to the trampoline
  3. Try to extract the SSN from the trampoline or use Halo’s Gate on neighbors

Usage

Advantages

Handles JMP hooks - Works with inline hooking techniques
More resilient - Follows trampolines to find real function
Better EDR evasion - Avoids triggering hook detection

Disadvantages

⚠️ Complex - More code paths to handle
⚠️ Slower - Multiple resolution steps
⚠️ Still has limits - May fail with advanced hooking techniques

When to Use

  • You know the EDR uses JMP-based hooks
  • You need to handle inline hooks gracefully
  • You want a balance between complexity and resilience

Hook Detection

References


From Disk

Description

SyscallsFromDisk (also called “From Disk”) loads a clean copy of ntdll from \KnownDlls or disk and reads SSNs from it. This completely bypasses userland hooks since the loaded copy is untouched by EDR.

How It Works

  1. Open \KnownDlls\ntdll.dll (a clean, cached copy maintained by Windows)
  2. Map it into memory (separate from the hooked ntdll)
  3. Parse the clean ntdll to extract SSNs using Hell’s Gate or FreshyCalls
  4. Unmap the clean copy

Usage

Advantages

✅✅ Bypasses ALL userland hooks - Clean ntdll is never touched by EDR
Most reliable - Guaranteed to get correct SSNs
No opcode parsing issues - Clean stubs are always valid

Disadvantages

⚠️ Slower - Requires loading and parsing a DLL
⚠️ EDR visibility - Opening \KnownDlls or reading from disk is highly suspicious
⚠️ More complex - Requires manual PE parsing

When to Use

  • You’re in a heavily hooked environment
  • You need 100% reliable SSN resolution
  • You’re willing to accept the EDR visibility tradeoff

Example Code

Alternative: Load from Disk

If \KnownDlls access is blocked:

References


RecycledGate

Description

RecycledGate combines FreshyCalls (sorting by VA) with opcode validation (Hell’s Gate) to provide maximum reliability. It sorts functions by address, then validates the SSN by checking the actual syscall stub.

How It Works

  1. Use FreshyCalls to sort ntdll exports by address → get candidate SSN
  2. Use Hell’s Gate to read the actual SSN from the function stub
  3. Cross-validate: If both methods agree, the SSN is correct
  4. If they disagree, the function is hooked → use the FreshyCalls result (or flag as suspicious)

Usage

Advantages

✅✅ Most resilient - Combines two independent methods
Hook detection - Can detect when functions are hooked
Accurate - Validates SSNs for correctness
Fast - Only slightly slower than FreshyCalls alone

Disadvantages

⚠️ More complex - Implements two resolution methods
⚠️ Still visible - EDR can see export walking

When to Use

  • You want maximum reliability
  • You need to detect hooked functions
  • You want the best of both worlds (FreshyCalls + Hell’s Gate)
  • Recommended for stealth configurations

Example Code

References


Hardware Breakpoint

Description

HW Breakpoint uses hardware breakpoints and Vectored Exception Handling (VEH) to intercept the syscall instruction and extract the SSN from the EAX register at runtime.

How It Works

  1. Set a hardware breakpoint on the target NT function using debug registers (DR0-DR3)
  2. Register a Vectored Exception Handler (VEH) to catch EXCEPTION_SINGLE_STEP
  3. Call the NT function
  4. The breakpoint triggers before the syscall executes
  5. Read the SSN from the EAX register in the exception context
  6. Remove the breakpoint and continue execution

Usage

Advantages

✅✅ Bypasses all hooks - Reads SSN after EDR hook but before syscall
No opcode parsing - Directly reads CPU registers
Advanced technique - Uncommon, harder to detect

Disadvantages

Very complex - Requires VEH, debug registers, exception handling
Very slow - Triggering exceptions has overhead
EDR visibility - VEH registration and debug register use may trigger alerts
Debugger conflicts - Doesn’t work if a debugger is attached
Limited breakpoints - Only 4 hardware breakpoints available

When to Use

  • You want to experiment with advanced techniques
  • You’re researching new evasion methods
  • Not recommended for production - Too slow and complex

Example Code

References


Choosing the Right Method

Decision Tree

General Use (Default):
Maximum Stealth:
Heavily Hooked Environment:
Known Windows Version:

See Also