Skip to main content

Overview

SysWhispers4 is a Python-based syscall stub generator that produces C/ASM code for invoking NT kernel functions directly, bypassing user-mode hooks placed by AV/EDR products on ntdll.dll.
SysWhispers4 supports Windows NT 3.1 through Windows 11 24H2 across x64, x86, WoW64, and ARM64 architectures.

Why SysWhispers4?

Modern endpoint security products (AV/EDR) monitor suspicious API calls by placing hooks in user-mode libraries like ntdll.dll. When your program calls functions like VirtualAllocEx or CreateRemoteThread, the EDR intercepts these calls before they reach the kernel. SysWhispers4 bypasses these hooks by:
  • Generating syscall stubs that invoke NT functions directly via the syscall instruction
  • Never calling through hooked ntdll.dll functions
  • Providing 8 different SSN (System Service Number) resolution methods to handle various EDR hooking strategies
  • Offering 4 invocation techniques to evade detection at the syscall boundary

Key Capabilities

8 SSN Resolution Methods

From simple static tables to advanced hardware breakpoint extraction — bypass any hook

4 Invocation Techniques

Direct, indirect, randomized, and egg hunt methods to evade RIP-based detection

8 Evasion Features

ETW/AMSI bypass, ntdll unhooking, anti-debug, sleep encryption, and more

64 NT Functions

Comprehensive coverage of memory, process, thread, file, and token operations

Evolution: SysWhispers 1 → 4

SysWhispers4 builds on the lineage of:

Major Improvements in v4

1

New SSN Resolution Methods

  • SyscallsFromDisk: Maps clean ntdll from \KnownDlls — bypasses ALL hooks
  • RecycledGate: Combines FreshyCalls + opcode validation for maximum resilience
  • HW Breakpoint: Uses debug registers (DR0-DR3) + VEH to extract SSNs
  • Static + dynamic fallback: Hybrid approach for reliability
2

ARM64 Architecture Support

Full support for Windows on ARM using svc #0 instruction and w8 register for SSN
3

Advanced Evasion Techniques

  • AMSI bypass (patches AmsiScanBuffer)
  • ntdll unhooking (remap clean .text from KnownDlls)
  • Anti-debugging (6 detection checks)
  • Sleep encryption (Ekko-style memory XOR during sleep)
  • Junk instruction injection (14 variants)
  • Stack spoofing (synthetic return addresses)
4

Fixed Randomized Indirect Bug

SW3’s randomized method had a register-corruption bug where RDTSC overwrites edx (arg2). SW4 correctly saves rdx → r11 before rdtsc and restores it without touching the stack.

How It Works

1

Generate Syscall Stubs

Run SysWhispers4 to generate C/ASM files containing syscall stubs for your chosen NT functions.
2

Integrate Into Your Project

Add the generated files to your Visual Studio, MinGW, or Clang project. For MSVC, enable MASM support.
3

Initialize at Runtime

Call SW4_Initialize() to resolve syscall numbers using your chosen technique (FreshyCalls, Hell’s Gate, etc.)
4

Use NT Functions Directly

Call generated functions like SW4_NtAllocateVirtualMemory() — they bypass all user-mode hooks and invoke the kernel directly.

Architecture Overview

Traditional API call path (hooked by EDR):
SysWhispers4 path (bypasses hooks):

Feature Comparison

Use Cases

Security Notice: SysWhispers4 is a security research and authorized penetration testing tool. Use only:
  • On systems you own or have explicit written authorization to test
  • In CTF competitions
  • For defensive research (understanding offensive techniques to improve detection)
  • For developing security product signatures
Unauthorized use is illegal in most jurisdictions.

Legitimate Applications

Red Team Operations

Authorized penetration testing and adversary simulation exercises

EDR Testing

Validate detection capabilities of endpoint security products

Security Research

Study syscall-based evasion techniques for defensive improvements

CTF Competitions

Capture-the-flag challenges requiring Windows exploitation

What’s Next?

Ready to get started? Follow the Installation guide to set up your environment, then jump to the Quick Start to generate your first syscall stubs.