Your First Syscall Stub
This guide walks you through generating syscall stubs for common NT functions and integrating them into a working C program.Make sure you’ve completed the Installation steps before proceeding.
Generate Syscall Stubs
1
Choose a Preset
SysWhispers4 provides 8 presets for common use cases. Let’s start with the This generates stubs for 25 essential functions including:
common preset:NtAllocateVirtualMemory— Memory allocationNtCreateThreadEx— Thread creationNtOpenProcess— Process handle operationsNtWriteVirtualMemory— Memory writing- And 21 more…
View all available presets
View all available presets
2
Review Generated Files
SysWhispers4 creates 4 files in the current directory:Output:
What's in each file?
What's in each file?
3
Understand the Output Summary
The generator prints a summary:Key information:
- Resolution: freshycalls — Sorts ntdll exports by VA (hook-resistant)
- Method: embedded — Direct
syscallinstruction in stub - Prefix: SW4_ — All functions/symbols prefixed with
SW4_
Create a Test Program
Let’s create a simple program that allocates memory using our generated syscalls.Compile and Run
- MSVC (Visual Studio)
- MinGW / GCC
- Clang
1
Create Project
- Open Visual Studio
- File → New → Project → “Empty Project”
- Name:
SysWhispersTest
2
Enable MASM
- Right-click project → Build Dependencies → Build Customizations
- Check masm (.targets, .props)
3
Add Files
Right-click project → Add → Existing Item:
SW4Syscalls_Types.hSW4Syscalls.hSW4Syscalls.cSW4Syscalls.asmtest_syscalls.c
4
Build
- Press F7 or Build → Build Solution
- If successful, output:
SysWhispersTest.exe
5
Run
Advanced Example: Remote Process Injection
Here’s a more realistic example — injecting shellcode into a remote process:Generate with Advanced Options
For the injection example, use enhanced evasion:--method indirect— Jump to ntdll gadget (RIP appears in ntdll at syscall)--resolve freshycalls— Sort exports by VA (hook-resistant)--encrypt-ssn— XOR-encrypt syscall numbers at rest--stack-spoof— Synthetic call stack frames
Customizing Function Selection
You can also pick individual functions:Next Steps
Explore SSN Resolution Methods
Learn about FreshyCalls, Hell’s Gate, Tartarus’ Gate, and 5 more techniques
Invocation Methods
Understand embedded, indirect, randomized, and egg hunt methods
Evasion Features
ETW/AMSI bypass, ntdll unhooking, anti-debug, sleep encryption
Presets Reference
Complete guide to all 8 function presets
Troubleshooting
Initialization fails (SW4_Initialize returns FALSE)
Initialization fails (SW4_Initialize returns FALSE)
Possible causes:
- ntdll.dll not loaded (shouldn’t happen in normal Windows process)
- FreshyCalls can’t enumerate exports (permission issue)
- Try static resolution:
--resolve static - Enable verbose mode to see debug output
- Check if running in unusual environment (sandboxed, driver context)
Syscalls return STATUS_INVALID_PARAMETER (0xC000000D)
Syscalls return STATUS_INVALID_PARAMETER (0xC000000D)
Cause: Incorrect parameter types or invalid handlesSolutions:
- Verify all parameters match NT function signature
- Check that handles are valid (not NULL or INVALID_HANDLE_VALUE)
- Ensure
OBJECT_ATTRIBUTESis initialized:{ sizeof(OBJECT_ATTRIBUTES) }
Access violations during syscall
Access violations during syscall
Cause: SSN mismatch (wrong syscall number for OS version)Solutions:
- Update syscall tables:
python scripts/update_syscall_table.py - Use dynamic resolution (FreshyCalls) instead of static
- Verify architecture matches (x64 vs x86)
Compilation errors with MASM
Compilation errors with MASM
Error:
error A2008: syntax errorSolution: Ensure ASM file is set to “Microsoft Macro Assembler” item type in Visual Studio project properties.What You’ve Learned
1
Generated syscall stubs
Used
--preset common to create stubs for 25 essential NT functions2
Integrated into C project
Added generated files to MSVC/MinGW project and compiled successfully
3
Called NT functions directly
Used
SW4_NtAllocateVirtualMemory to allocate memory via direct syscall, bypassing user-mode hooks4
Built a working injector
Created a complete process injection example using syscall-based memory allocation, writing, and thread creation
