reddit hackernews mail facebook facebook linkedin


AV/EDR evasion via direct system calls.

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
All core syscalls are supported from Windows XP to Windows 10 19042 (20H2).

Various security products place hooks in user-mode APIs which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks.

SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe) across any Windows version starting from XP. The headers will also include the necessary type definitions.