Introduction

What is Sysplant?

Sysplant is a syscall factory — a Python tool that generates native Windows syscall stub files in C, C++, NIM, or Rust. The generated files let your code invoke Windows kernel services directly, bypassing the user-land hooks that Endpoint Detection & Response (EDR) products insert into ntdll.dll.

Rather than writing (or copy-pasting) gate code by hand, Sysplant lets you:

1. Choose an iterator that resolves syscall numbers at runtime.
2. Choose a method that controls how the syscall instruction is executed.
3. Select the functions you need (or use a preset).
4. Generate a drop-in source file for your language of choice.

Why syscall bypasses?

Modern EDRs operate by placing hooks — typically jmp trampolines — at the start of Nt* / Zw* functions inside ntdll.dll. Any process that calls those functions has its execution redirected into the EDR's callback for inspection.

Direct and indirect syscall techniques skip ntdll entirely (or jump past the hook) so the kernel is invoked without passing through monitored code paths.

Architecture overview

sysplant/
├── sysplant.py          Main Sysplant class (public API)
├── constants/           Language extensions, preset lists, internal symbols
├── managers/
│   └── templateManager.py   Selects the right code generator
└── templates/ (per-language generators)
    ├── NIMGenerator
    ├── CGenerator
    ├── CppGenerator
    └── RustGenerator

main.py                  CLI entry point (argparse)
bridge_mcp_sysplant.py   MCP server entry point (FastMCP)

The Sysplant class selects a generator based on arch + syscall + language. The generator builds the stub file from its internal template; generate() wires in the chosen iterator and method; output() writes the result to disk.

Key concepts

Continue to Installation →