SysWhispers4

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://github.com/JoasASantos/SysWhispers4
• Blog Title: SysWhispers4
• Suggested Section: Windows Hardening -> Antivirus (AV) Bypass (and/or a new subpage under Windows Red Teaming/EDR Evasion: "Direct/Indirect Syscalls (SysWhispers, Hell's Gate/Halo's Gate/Tartarus' Gate, FreshyCalls/RecycledGate, SyscallsFromDisk, HW breakpoint SSN extraction)")

🎯 Content Summary

Title/Goal
SysWhispers4 is a Python-based syscall-stub generator (Python 3.10+) that outputs C/ASM code to invoke Windows NT kernel services via direct and indirect syscalls, with the explicit purpose of bypassing user-mode AV/EDR hooks on ntdll.dll.

It supports Windows NT 3.1 through Windows 11 24H2 and multiple architectures: x64, x86 (32-bit sysenter), WoW64 (Heaven’s Gate), and ARM64 (uses SVC #0<...

🔧 Technical Details

Bypass user-mode EDR hooks via direct/indirect syscalls:
If EDRs inline-hook ntdll.dll syscall stubs (e.g., trampolines inserted into .text), generate a custom syscall stub that sets the SSN (commonly in EAX on x64) and performs the kernel transition directly (syscall/sysenter/SVC #0) to avoid executing the hooked export. For additional blending, use indirect syscalls that jump to an existing syscall gadget inside ntdll so that RIP is inside ntdll at transition; optionally randomize among a gadget pool (up to 64 gadgets) per call to add entropy.

Resolve SSNs without trusting hooked bytes:
When hooks corrupt syscall stub bytes, avoid opcode-based SSN extraction by (a) inferring SSNs via VA sorting of syscall stubs (FreshyCalls), (b) mapping a clean ntdll image from \KnownDlls\ntdll.dll and...

🤖 Agent Actions

Summary:

• Added a concise section on direct/indirect syscalls, hook‑resistant SSN resolution methods, and SysWhispers4 usage examples in src/windows-hardening/av-bypass.md.
• Added SysWhispers4 to the References list in src/windows-hardening/av-bypass.md.

Tests: not run (documentation-only change).

If you want, I can also add a short cross-link from any Windows EDR/OPSEC page you prefer (no new file).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://github.com/JoasASantos/SysWhispers4

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Antivirus (AV) Bypass (and/or a new subpage under Windows Red Teaming/EDR Evasion: "Direct/Indirect Syscalls (SysWhispers, Hell's Gate/Halo's Gate/Tartarus' Gate, FreshyCalls/RecycledGate, SyscallsFromDisk, HW breakpoint SSN extraction)")".

Repository Maintenance:

• MD Files Formatting: 954 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0