SysWhispers : AV/EDR Evasion Via Direct System Calls

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. All core syscalls are supported from Windows XP to 10. Example generated files available in example-output/.

Various security products place hooks in user-mode APIs which allow them to redirect execution flow to their engines and detect for suspicious behavior. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading.

SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe) across any Windows version starting from XP. The headers will also include the necessary type definitions.

The main implementation difference between this and the Dumpert POC is that this doesn’t call RtlGetVersion to query the OS version, but instead does this in the assembly by querying the PEB directly. The benefit is being able to call one function that supports multiple Windows versions instead of calling multiple functions each supporting one version.

Installation

git clone https://github.com/jthuraisamy/SysWhispers.git
cd SysWhispers
pip3 install -r .\requirements.txt
py .\syswhispers.py –help

Usage & Examples

#Export all functions with compatibility for all supported Windows versions (see example-output/).
py .\syswhispers.py –preset all -o syscalls_all

#Export just the common functions with compatibility for Windows 7, 8, and 10.
py .\syswhispers.py –preset common -o syscalls_common

#Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.
py .\syswhispers.py –functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem

#Export all functions with compatibility for Windows 7, 8, and 10.
py .\syswhispers.py –versions 7,8,10 -o syscalls_78X

Common Functions

Using the --preset common switch will create a header/ASM pair with the following functions: Click to expand function list.

Importing Into Visual Studio

  • Copy the generated H/ASM files into the project folder.
  • In Visual Studio, go to Project → Build Customizations… and enable MASM.
  • In the Solution Explorer, add the .h and .asm files to the project as header and source files, respectively.
  • Go to the properties of the ASM file, and set the Item Type to Microsoft Macro Assembler.
  • Ensure that the project platform is set to x64. 32-bit projects are not supported at this time.

Caveats & Limitations

  • Only 64-bit Windows is supported at this time.
  • System calls from the graphical subsystem (win32k.sys) are not supported.
  • Tested on Visual Studio 2019 (v142) with Windows 10 SDK.

Troubleshooting

  • ModuleNotFoundError in Python script.
    • Ensure that the required modules are installed with pip3 install -r requirements.txt.
  • Type redefinitions errors: a project may not compile if typedefs in syscalls.h have already been defined.
    • Ensure that only required functions are included (i.e. --preset all is rarely necessary).
    • If a typedef is already defined in another used header, then it could be removed from syscalls.h.
R K

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 weeks ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

2 weeks ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

2 weeks ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

2 weeks ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

2 weeks ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

2 weeks ago