Skip to main content

Your First Syscall Stub

This guide walks you through generating syscall stubs for common NT functions and integrating them into a working C program.
Make sure you’ve completed the Installation steps before proceeding.

Generate Syscall Stubs

1

Choose a Preset

SysWhispers4 provides 8 presets for common use cases. Let’s start with the common preset:
This generates stubs for 25 essential functions including:
  • NtAllocateVirtualMemory — Memory allocation
  • NtCreateThreadEx — Thread creation
  • NtOpenProcess — Process handle operations
  • NtWriteVirtualMemory — Memory writing
  • And 21 more…
2

Review Generated Files

SysWhispers4 creates 4 files in the current directory:
Output:
3

Understand the Output Summary

The generator prints a summary:
Key information:
  • Resolution: freshycalls — Sorts ntdll exports by VA (hook-resistant)
  • Method: embedded — Direct syscall instruction in stub
  • Prefix: SW4_ — All functions/symbols prefixed with SW4_

Create a Test Program

Let’s create a simple program that allocates memory using our generated syscalls.

Compile and Run

1

Create Project

  1. Open Visual Studio
  2. File → New → Project → “Empty Project”
  3. Name: SysWhispersTest
2

Enable MASM

  • Right-click project → Build Dependencies → Build Customizations
  • Check masm (.targets, .props)
3

Add Files

Right-click project → Add → Existing Item:
  • SW4Syscalls_Types.h
  • SW4Syscalls.h
  • SW4Syscalls.c
  • SW4Syscalls.asm
  • test_syscalls.c
4

Build

  • Press F7 or Build → Build Solution
  • If successful, output: SysWhispersTest.exe
5

Run

Advanced Example: Remote Process Injection

Here’s a more realistic example — injecting shellcode into a remote process:
For Educational Purposes Only: This example demonstrates syscall-based process injection. Only use on systems you own or have explicit authorization to test.

Generate with Advanced Options

For the injection example, use enhanced evasion:
What this does:
  • --method indirect — Jump to ntdll gadget (RIP appears in ntdll at syscall)
  • --resolve freshycalls — Sort exports by VA (hook-resistant)
  • --encrypt-ssn — XOR-encrypt syscall numbers at rest
  • --stack-spoof — Synthetic call stack frames

Customizing Function Selection

You can also pick individual functions:
Or combine presets:

Next Steps

Explore SSN Resolution Methods

Learn about FreshyCalls, Hell’s Gate, Tartarus’ Gate, and 5 more techniques

Invocation Methods

Understand embedded, indirect, randomized, and egg hunt methods

Evasion Features

ETW/AMSI bypass, ntdll unhooking, anti-debug, sleep encryption

Presets Reference

Complete guide to all 8 function presets

Troubleshooting

Possible causes:
  • ntdll.dll not loaded (shouldn’t happen in normal Windows process)
  • FreshyCalls can’t enumerate exports (permission issue)
Solutions:
  • Try static resolution: --resolve static
  • Enable verbose mode to see debug output
  • Check if running in unusual environment (sandboxed, driver context)
Cause: Incorrect parameter types or invalid handlesSolutions:
  • Verify all parameters match NT function signature
  • Check that handles are valid (not NULL or INVALID_HANDLE_VALUE)
  • Ensure OBJECT_ATTRIBUTES is initialized: { sizeof(OBJECT_ATTRIBUTES) }
Cause: SSN mismatch (wrong syscall number for OS version)Solutions:
  • Update syscall tables: python scripts/update_syscall_table.py
  • Use dynamic resolution (FreshyCalls) instead of static
  • Verify architecture matches (x64 vs x86)
Error: error A2008: syntax errorSolution: Ensure ASM file is set to “Microsoft Macro Assembler” item type in Visual Studio project properties.

What You’ve Learned

1

Generated syscall stubs

Used --preset common to create stubs for 25 essential NT functions
2

Integrated into C project

Added generated files to MSVC/MinGW project and compiled successfully
3

Called NT functions directly

Used SW4_NtAllocateVirtualMemory to allocate memory via direct syscall, bypassing user-mode hooks
4

Built a working injector

Created a complete process injection example using syscall-based memory allocation, writing, and thread creation
You now have a working syscall-based application that bypasses user-mode EDR hooks! Continue exploring the documentation to learn about advanced techniques and evasion features.