What Are Evasion Techniques?
Beyond bypassing API hooks via direct syscalls, SysWhispers4 includes 8 additional evasion capabilities that help your code avoid detection by AV/EDR products, memory scanners, and security analysts. These techniques target different layers of the detection stack:- Static signatures (on-disk binary analysis)
- Runtime memory scanning (periodic memory sweeps)
- Call stack analysis (stack-walking EDR)
- Behavioral monitoring (ETW, AMSI)
- Dynamic analysis (debuggers, sandboxes)
Available Evasion Features
Obfuscation
Randomize stub order + inject 14 junk instruction variants.
SSN Encryption
XOR-encrypt syscall numbers at rest. Decrypt just before use.
Stack Spoofing
Synthetic return addresses from ntdll for call stack walkers.
ETW Bypass
Patch
EtwEventWrite to suppress user-mode telemetry.AMSI Bypass
Patch
AmsiScanBuffer to return E_INVALIDARG.ntdll Unhooking
Remap clean
.text section from \KnownDlls\ to remove ALL hooks.Anti-Debug
6 detection checks: PEB, timing, heap flags, debug port.
Sleep Encryption
Ekko-style XOR
.text section during sleep to evade memory scans.Quick Comparison
Evasion Layers
Layer 1: Static Detection (Disk)
Obfuscation (--obfuscate) mutates your binary to evade signature-based detection:
- Stub reordering: Randomize function order in the
.textsection - Junk instructions: Insert 14 variants of harmless opcodes between real instructions
--encrypt-ssn) XORs all SSN values with a random compile-time key:
Layer 2: Runtime Detection (Memory)
Sleep Encryption (--sleep-encrypt) protects your code during sleep periods:
- Memory scanners see encrypted gibberish during sleep
- YARA signatures don’t match encrypted code
- Periodic module scans fail
--unhook-ntdll) removes ALL inline hooks:
.text section with a pristine copy from disk.
Layer 3: Behavioral Monitoring
ETW Bypass (--etw-bypass) suppresses user-mode Event Tracing for Windows:
--amsi-bypass) disables script content scanning:
Layer 4: Call Stack Analysis
Stack Spoofing (--stack-spoof) makes your call chain appear legitimate to stack-walking EDR:
Layer 5: Analysis Environments
Anti-Debug (--anti-debug) detects debuggers and instrumentation:
Recommended Configurations
Minimum Stealth (Quick Testing)
Standard Red Team
High Evasion
Maximum Evasion (All Techniques)
Integration Example
Detection Vectors Not Addressed
Learn More
Evasion Options Reference
Detailed documentation for all 8 evasion flags with code examples.
Sleep Encryption Deep Dive
In-depth analysis of Ekko-style memory encryption technique.
Stack Spoofing Internals
How synthetic call frames bypass stack-walking EDR products.
EDR Detection Analysis
Comprehensive breakdown of what modern EDR can and cannot detect.
