CsWhispers – Supercharge Your C# Project With D/Invoke And Indirect Syscalls

Source generator to add D/Invoke and indirect syscall methods to a C# project.

A game-changer for C# developers, CsWhispers is a source generator that effortlessly integrates D/Invoke and indirect syscall methods into your projects.

This article provides a quick start guide, demonstrates its powerful features, and explores the potential for extending its capabilities.

Join us on a journey to enhance your C# coding experience with CsWhispers.

Quick Start

Add the latest NuGet package to your project and allow unsafe code.

<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <OutputType>Exe</OutputType>
        <TargetFramework>net481</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
        <LangVersion>12</LangVersion>
    </PropertyGroup>

    <!-- CsWhispers package -->
    <ItemGroup>
      <PackageReference Include="CsWhispers" Version="0.0.2" />
    </ItemGroup>

    <!-- Allow unsafe code -->
    <PropertyGroup Condition=" '$(Configuration)' == 'Debug' ">
      <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
    </PropertyGroup>

    <PropertyGroup Condition=" '$(Configuration)' == 'Release' ">
      <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
    </PropertyGroup>

</Project>

Create a file in your project called CsWhispers.txt and set its build action properties to AdditionalFiles.

<ItemGroup>
  <None Remove="CsWhispers.txt" />
  <AdditionalFiles Include="CsWhispers.txt" />
</ItemGroup>

Add each NT API and any supporting structs/enums that you want to be included in your project. Each must be on its own line, for example:

NtOpenProcess

HANDLE
NTSTATUS
CLIENT_ID
UNICODE_STRING
OBJECT_ATTRIBUTES

PWSTR
PCWSTR

See The Project Wiki For A Full List Of Supported APIs.

Global namespaces are automatically added to allow for clean code.

public static unsafe void Main()
{
    // use self as example
    using var self = Process.GetCurrentProcess();
        
    HANDLE hProcess;
    OBJECT_ATTRIBUTES oa;
    CLIENT_ID cid = new()
    {
        UniqueProcess = new HANDLE((IntPtr)self.Id)
    };

    var status = NtOpenProcess(
        &hProcess,
        PROCESS_ALL_ACCESS,
        &oa,
        &cid);

    Console.WriteLine("Status: {0}", status.SeverityCode);
    Console.WriteLine("HANDLE: 0x{0:X}", hProcess.Value.ToInt64());
}

D/Invoke

CsWhispers includes a minimalised version of D/Invoke, so you may also call Generic.GetLibraryAddress, Generic.DynamicFunctionInvoke, etc.

Extending

All of the generated code goes into a partial CsWhispers.Syscalls class, which you can extend to add your own APIs. For example, create MyAPIs.cs and add:

namespace CsWhispers;

public static partial class Syscalls
{
    public static NTSTATUS NtCreateThreadEx()
    {
        // whatever
        return new NTSTATUS(0);
    }
}

This can then be called in your main code without having to add any additional using statements.

namespace ConsoleApp1;

internal static class Program
{
    public static void Main()
    {
        var status = NtCreateThreadEx();
    }
}

NullGate : Advancing Evasion Techniques In Windows Exploitation

March 13, 2025

In "Cyber security"

Callstack Spoofing + Indirect Syscalls POC – Unmasking Evasion Techniques In A Proof Of Concept (POC) Scenario

November 10, 2023

In "Cyber security"

LLVM-YX-Callobfuscator : Enhancing Windows x64 Native Call Security At Compile Time

February 6, 2024

In "Cyber security"

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.