Skip to main content

What Are Evasion Techniques?

Beyond bypassing API hooks via direct syscalls, SysWhispers4 includes 8 additional evasion capabilities that help your code avoid detection by AV/EDR products, memory scanners, and security analysts. These techniques target different layers of the detection stack:
  • Static signatures (on-disk binary analysis)
  • Runtime memory scanning (periodic memory sweeps)
  • Call stack analysis (stack-walking EDR)
  • Behavioral monitoring (ETW, AMSI)
  • Dynamic analysis (debuggers, sandboxes)

Available Evasion Features

Obfuscation

Randomize stub order + inject 14 junk instruction variants.

SSN Encryption

XOR-encrypt syscall numbers at rest. Decrypt just before use.

Stack Spoofing

Synthetic return addresses from ntdll for call stack walkers.

ETW Bypass

Patch EtwEventWrite to suppress user-mode telemetry.

AMSI Bypass

Patch AmsiScanBuffer to return E_INVALIDARG.

ntdll Unhooking

Remap clean .text section from \KnownDlls\ to remove ALL hooks.

Anti-Debug

6 detection checks: PEB, timing, heap flags, debug port.

Sleep Encryption

Ekko-style XOR .text section during sleep to evade memory scans.

Quick Comparison

Evasion Layers

Layer 1: Static Detection (Disk)

Obfuscation (--obfuscate) mutates your binary to evade signature-based detection:
  • Stub reordering: Randomize function order in the .text section
  • Junk instructions: Insert 14 variants of harmless opcodes between real instructions
SSN Encryption (--encrypt-ssn) XORs all SSN values with a random compile-time key:

Layer 2: Runtime Detection (Memory)

Sleep Encryption (--sleep-encrypt) protects your code during sleep periods:
Benefits:
  • Memory scanners see encrypted gibberish during sleep
  • YARA signatures don’t match encrypted code
  • Periodic module scans fail
ntdll Unhooking (--unhook-ntdll) removes ALL inline hooks:
Replaces the hooked .text section with a pristine copy from disk.

Layer 3: Behavioral Monitoring

ETW Bypass (--etw-bypass) suppresses user-mode Event Tracing for Windows:
This only bypasses user-mode ETW. Kernel-mode ETW-Ti (Microsoft-Windows-Threat-Intelligence) operates at the kernel level and cannot be bypassed from user-mode.
AMSI Bypass (--amsi-bypass) disables script content scanning:
Useful when executing PowerShell, VBScript, or other AMSI-instrumented content.

Layer 4: Call Stack Analysis

Stack Spoofing (--stack-spoof) makes your call chain appear legitimate to stack-walking EDR:
The spoofed return address points into ntdll, hiding the real caller.

Layer 5: Analysis Environments

Anti-Debug (--anti-debug) detects debuggers and instrumentation:
6 detection techniques:

Minimum Stealth (Quick Testing)

No extra evasion. Fast generation and execution.

Standard Red Team

Basic obfuscation + encrypted SSNs. Good balance.

High Evasion

Multi-layer evasion: obfuscation + encryption + stack spoofing + unhooking.

Maximum Evasion (All Techniques)

Every evasion feature enabled. Slowest generation, highest stealth.

Integration Example

Detection Vectors Not Addressed

SysWhispers4 is a user-mode evasion tool. It does not bypass:
  • Kernel-mode ETW-Ti callbacks — requires kernel driver or exploit
  • Kernel-mode syscall hooks — requires SSDT/inline kernel hooks (rare)
  • Virtualization-based security (VBS) — Credential Guard, HVCI
  • Network traffic analysis — C2 communication patterns
  • Endpoint behavioral heuristics — post-exploitation activity patterns
Use SysWhispers4 as part of a layered evasion strategy, not a silver bullet.

Learn More

Evasion Options Reference

Detailed documentation for all 8 evasion flags with code examples.

Sleep Encryption Deep Dive

In-depth analysis of Ekko-style memory encryption technique.

Stack Spoofing Internals

How synthetic call frames bypass stack-walking EDR products.

EDR Detection Analysis

Comprehensive breakdown of what modern EDR can and cannot detect.