github.com/jthuraisamy/SysWhispers ↗

About jthuraisamy/SysWhispers

SysWhispers is a code generation tool that helps red teamers and security researchers evade antivirus and endpoint detection and response (EDR) solutions by generating custom assembly and header files. The tool generates code that makes direct system calls to the Windows kernel, bypassing user-mode API hooks that security products typically place in ntdll.dll functions to detect malicious behavior. By re-implementing these syscalls directly in an implant rather than calling the hooked library functions, operators can avoid triggering security product detections.

The tool supports a wide range of Windows versions from XP through Windows 10 build 19042, automatically handling version differences by querying the process environment block directly in assembly rather than calling version detection APIs. It can generate syscall implementations for dozens of common functions like CreateRemoteThread, WriteProcessMemory, and AllocateVirtualMemory, or users can specify individual syscalls. The generated files integrate into Visual Studio projects and are designed for 64-bit Windows targets only. SysWhispers improves upon earlier proof-of-concept implementations like Dumpert by supporting multiple Windows versions in a single function rather than requiring version-specific implementations.

The project is intended for offensive security professionals and red teamers conducting authorized assessments and is licensed under Apache 2.0. It represents the assembly language side of evasion technique research that has become increasingly important in adversarial security testing, as documented in numerous blog posts and security research articles exploring the interplay between malware defense mechanisms and evasion techniques.