### SysWhispers4 CLI Quickstart and Options Source: https://context7.com/joasasantos/syswhispers4/llms.txt Command-line examples for SysWhispers4, demonstrating quickstart presets, maximum-stealth configurations, specific function generation, and utility commands. ```bash python syswhispers.py --preset common ``` ```bash python syswhispers.py --preset stealth \ --method randomized --resolve recycled \ --obfuscate --encrypt-ssn --stack-spoof \ --etw-bypass --amsi-bypass --unhook-ntdll \ --anti-debug --sleep-encrypt ``` ```bash python syswhispers.py --preset injection \ --method indirect --resolve tartarus \ --out-dir ./output --prefix MY ``` ```bash python syswhispers.py \ --functions NtAllocateVirtualMemory,NtCreateThreadEx,NtClose \ --arch x86 --compiler mingw \ --method embedded --resolve halos_gate ``` ```bash python syswhispers.py --preset common --arch arm64 ``` ```bash python syswhispers.py --preset injection \ --method egg --resolve hw_breakpoint ``` ```bash python syswhispers.py --list-functions ``` ```bash python syswhispers.py --list-presets ``` ```bash python scripts/update_syscall_table.py --arch x64,x86 ``` -------------------------------- ### Generate Common SysWhispers4 Preset Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Generates syscall stubs using the 'common' preset, which typically includes FreshyCalls and direct syscalls. This is a recommended starting point. ```bash python syswhispers.py --preset common ``` -------------------------------- ### Generate Syscalls for ARM64 Architecture Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Generates syscall stubs for the ARM64 architecture using the 'common' preset. ```bash python syswhispers.py --preset common --arch arm64 ``` -------------------------------- ### Generate Syscalls using Egg Hunt Method Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Generates syscall stubs for specified functions using the 'egg' method and Halo's Gate resolution. This method does not rely on syscall opcodes on disk. ```bash python syswhispers.py \ --functions NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx \ --method egg --resolve halos_gate ``` -------------------------------- ### Generate Syscalls from Disk with Indirect Method Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Generates syscall stubs using the indirect method and 'from_disk' resolution, which maps a clean ntdll from disk to bypass all hooks. Includes ntdll unhooking. ```bash python syswhispers.py --preset injection \ --method indirect --resolve from_disk \ --unhook-ntdll ``` -------------------------------- ### Generate Injection Preset with Tartarus' Gate Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Generates syscall stubs using the 'injection' preset, with the indirect method and Tartarus' Gate resolution. This is suitable for injection scenarios. ```bash python syswhispers.py --preset injection --method indirect --resolve tartarus ``` -------------------------------- ### Generate Syscalls using Hardware Breakpoint Resolution Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Generates syscall stubs for specific functions (NtAllocateVirtualMemory, NtCreateThreadEx) using the hardware breakpoint resolution method. ```bash python syswhispers.py --functions NtAllocateVirtualMemory,NtCreateThreadEx \ --resolve hw_breakpoint ``` -------------------------------- ### Generate Maximum Evasion Preset Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Combines multiple evasion techniques for maximum stealth, including randomized method, recycled gate resolution, obfuscation, SSN encryption, stack spoofing, ETW bypass, AMSI bypass, ntdll unhooking, anti-debugging, and sleep encryption. ```bash python syswhispers.py --preset stealth \ --method randomized --resolve recycled \ --obfuscate --encrypt-ssn --stack-spoof \ --etw-bypass --amsi-bypass --unhook-ntdll \ --anti-debug --sleep-encrypt ``` -------------------------------- ### Unhook ntdll with SW4_UnhookNtdll Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Call this function before SW4_Initialize to remove all inline hooks from ntdll. This ensures that FreshyCalls/Hell's Gate reads clean stubs. ```c // Call BEFORE SW4_Initialize() for best results SW4_UnhookNtdll(); // Remove ALL inline hooks from ntdll SW4_Initialize(); // Now FreshyCalls/Hell's Gate reads clean stubs ``` -------------------------------- ### Perform Anti-Debugging Checks with SW4_AntiDebugCheck Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Executes 6 checks to detect the presence of a debugger or analysis tools. If a debugger is detected, the program should exit or take evasive action. ```c if (!SW4_AntiDebugCheck()) { // Debugger detected — bail out or take evasive action ExitProcess(0); } ``` -------------------------------- ### Encrypt .text section during sleep with SW4_SleepEncrypt Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Encrypts the .text section using a random XOR key during sleep to evade memory scanners. The section is decrypted automatically upon waking. ```c // Instead of Sleep(5000), use: SW4_SleepEncrypt(5000); // .text is encrypted during the entire sleep ``` -------------------------------- ### SysWhispers4 GeneratorConfig Dataclass Source: https://context7.com/joasasantos/syswhispers4/llms.txt Python code demonstrating the construction of a GeneratorConfig object to specify SysWhispers4 generation parameters programmatically. All fields have sensible defaults. ```python from core.models import ( Architecture, Compiler, GeneratorConfig, InvocationMethod, ResolutionMethod, ) cfg = GeneratorConfig( # Function list (resolved from preset or --functions flag) functions=["NtAllocateVirtualMemory", "NtWriteVirtualMemory", "NtCreateThreadEx", "NtOpenProcess", "NtClose"], # Target arch=Architecture.x64, # x64 | x86 | WoW64 | ARM64 compiler=Compiler.MSVC, # msvc | mingw | clang # Syscall technique method=InvocationMethod.Randomized, # embedded | indirect | randomized | egg resolve=ResolutionMethod.RecycledGate, # freshycalls | hells_gate | # tartarus | from_disk | recycled | # hw_breakpoint | static # Output prefix="SW4_", # prefix for all generated symbols out_file="SW4Syscalls", # basename for generated files out_dir="./output", # destination directory # Evasion toggles obfuscate=True, # randomize stub order + inject junk instructions encrypt_ssn=True, # XOR-encrypt SSN table; decrypt inline in ASM stub stack_spoof=True, # include synthetic call-stack frame helper etw_bypass=True, # include SW4_PatchEtw() for user-mode ETW suppression amsi_bypass=True, # include SW4_PatchAmsi() for AMSI bypass unhook_ntdll=True, # include SW4_UnhookNtdll() to restore clean ntdll anti_debug=True, # include SW4_AntiDebugCheck() (6 checks) sleep_encrypt=True, # include SW4_SleepEncrypt() Ekko-style memory encryption ) ``` -------------------------------- ### SyscallsFromDisk SSN Resolution Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Reads System Service Numbers (SSNs) from a clean, on-disk copy of ntdll.dll to bypass inline hooks. This method is guaranteed to be hook-free as it avoids reading the potentially compromised in-memory ntdll. ```c // Flow: NtOpenSection → NtMapViewOfSection → read clean SSNs → NtUnmapViewOfSection // SSNs come from the on-disk image, guaranteed hook-free SW4_SyscallsFromDisk(pNtdll); ``` -------------------------------- ### AMSI Bypass Patch Source: https://github.com/joasasantos/syswhispers4/blob/main/README.md Patches amsi.dll!AmsiScanBuffer to return E_INVALIDARG, causing AMSI to treat scan arguments as invalid. This function should be called early in the execution flow, before any suspicious operations that might trigger AMSI. ```c SW4_PatchAmsi(); // Call early, before any suspicious operations ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.