Iterators

SysWhispers2

Detailed walkthrough of the SysWhispers2 syscall resolution algorithm as implemented in Sysplant.

SysWhispers2

Origin: @Jackson_T / @modexpblog — 2021
Default method: indirect

Principle

SysWhispers2 uses the same address-sorting strategy as FreshyCalls: it collects Zw* exports from the ntdll Export Directory, sorts them by virtual address, and uses the sorted index as the SSN.

The key difference from FreshyCalls is the default caller method: SysWhispers2 uses indirect by default, meaning the generated stub jumps to the ntdll function's own code to execute the syscall instruction rather than executing an inline syscall.

Algorithm (from source)

The resolution algorithm is structurally identical to FreshyCalls:

PEB walk to locate ntdll.
Export Directory scan — filter for Zw* exports (*(USHORT*)FunctionName == 0x775a).
Bubble sort by Entries[i].Address ascending.
Sorted index = SSN.

For each entry, SPT_DetectPadding scans forward from the function address until it finds the syscall; ret byte sequence (0F 05 C3 on x64), and stores the offset as SyscallAddress. This is used by the indirect and random methods.

Indirect default

The indirect method jumps to SPT_GetSyscallAddress(), which returns Entries[i].Address — the start of the matching ntdll function. Execution continues inside ntdll's code, which performs the MOV EAX, SSN; syscall sequence. This means the syscall instruction is executed from within ntdll's memory range, not from within your module.

See Indirect method for the full stub walkthrough.

When to use

When you need the indirect or random execution methods (SysWhispers2 is the canonical pairing for those).
Equivalent to FreshyCalls for the direct method — choose based on preference.

Edit this page

FreshyCalls

Detailed walkthrough of the FreshyCalls syscall resolution algorithm as implemented in Sysplant.

SysWhispers3

Detailed walkthrough of the SysWhispers3 syscall resolution algorithm as implemented in Sysplant.