Overview
SysWhispers4 is a Python-based syscall stub generator that produces C/ASM code for invoking NT kernel functions directly, bypassing user-mode hooks placed by AV/EDR products onntdll.dll.
SysWhispers4 supports Windows NT 3.1 through Windows 11 24H2 across x64, x86, WoW64, and ARM64 architectures.
Why SysWhispers4?
Modern endpoint security products (AV/EDR) monitor suspicious API calls by placing hooks in user-mode libraries likentdll.dll. When your program calls functions like VirtualAllocEx or CreateRemoteThread, the EDR intercepts these calls before they reach the kernel.
SysWhispers4 bypasses these hooks by:
- Generating syscall stubs that invoke NT functions directly via the
syscallinstruction - Never calling through hooked
ntdll.dllfunctions - Providing 8 different SSN (System Service Number) resolution methods to handle various EDR hooking strategies
- Offering 4 invocation techniques to evade detection at the syscall boundary
Key Capabilities
8 SSN Resolution Methods
From simple static tables to advanced hardware breakpoint extraction — bypass any hook
4 Invocation Techniques
Direct, indirect, randomized, and egg hunt methods to evade RIP-based detection
8 Evasion Features
ETW/AMSI bypass, ntdll unhooking, anti-debug, sleep encryption, and more
64 NT Functions
Comprehensive coverage of memory, process, thread, file, and token operations
Evolution: SysWhispers 1 → 4
SysWhispers4 builds on the lineage of:- SysWhispers (v1)
- SysWhispers2 (v2)
- SysWhispers3 (v3)
Major Improvements in v4
1
New SSN Resolution Methods
- SyscallsFromDisk: Maps clean ntdll from
\KnownDlls— bypasses ALL hooks - RecycledGate: Combines FreshyCalls + opcode validation for maximum resilience
- HW Breakpoint: Uses debug registers (DR0-DR3) + VEH to extract SSNs
- Static + dynamic fallback: Hybrid approach for reliability
2
ARM64 Architecture Support
Full support for Windows on ARM using
svc #0 instruction and w8 register for SSN3
Advanced Evasion Techniques
- AMSI bypass (patches
AmsiScanBuffer) - ntdll unhooking (remap clean
.textfrom KnownDlls) - Anti-debugging (6 detection checks)
- Sleep encryption (Ekko-style memory XOR during sleep)
- Junk instruction injection (14 variants)
- Stack spoofing (synthetic return addresses)
4
Fixed Randomized Indirect Bug
SW3’s randomized method had a register-corruption bug where
RDTSC overwrites edx (arg2). SW4 correctly saves rdx → r11 before rdtsc and restores it without touching the stack.How It Works
1
Generate Syscall Stubs
Run SysWhispers4 to generate C/ASM files containing syscall stubs for your chosen NT functions.
2
Integrate Into Your Project
Add the generated files to your Visual Studio, MinGW, or Clang project. For MSVC, enable MASM support.
3
Initialize at Runtime
Call
SW4_Initialize() to resolve syscall numbers using your chosen technique (FreshyCalls, Hell’s Gate, etc.)4
Use NT Functions Directly
Call generated functions like
SW4_NtAllocateVirtualMemory() — they bypass all user-mode hooks and invoke the kernel directly.Architecture Overview
Traditional API call path (hooked by EDR):SysWhispers4 path (bypasses hooks):
Feature Comparison
Use Cases
Legitimate Applications
Red Team Operations
Authorized penetration testing and adversary simulation exercises
EDR Testing
Validate detection capabilities of endpoint security products
Security Research
Study syscall-based evasion techniques for defensive improvements
CTF Competitions
Capture-the-flag challenges requiring Windows exploitation
