Usage
CLI Reference
Complete reference for all sysplant CLI commands, flags, and options.
CLI Reference
Synopsis
sysplant [--debug | --verbose | --quiet] <command> [options]
Global output flags
| Flag | Description |
|---|---|
--debug | Print all DEBUG messages |
--verbose | Print all INFO messages |
--quiet | Suppress all messages |
Commands
sysplant list <path>
Scan all supported source files under <path> for Nt* and Zw* function names.
sysplant list ./src
Searches files with extensions: .h, .hpp, .c, .cpp, .nim, .rs
Returns the set of detected Windows native API function names — useful to build the exact -f list for generate.
sysplant generate [arch] [lang] [preset] [gate] [options]
Generate a syscall stub file.
Architecture flags (optional, default: x64)
| Flag | Architecture |
|---|---|
-x64 | 64-bit (default) |
-x86 | 32-bit |
-wow | WoW64 (32-bit process on 64-bit Windows) |
Language flags (optional, default: -nim)
| Flag | Language | Output extension |
|---|---|---|
-nim | NIM | .nim |
-c | C | .h |
-cpp | C++ | .hpp |
-rust | Rust | .rs |
Syscall preset / function selection (mutually exclusive)
| Option | Description |
|---|---|
-p all | All ~300+ supported syscalls |
-p common | 31 commonly used Nt* functions (default) |
-p donut | 14 functions used by the Donut shellcode loader |
-f func1,func2,... | Explicit comma-separated list of function names |
Scramble flag
| Flag | Description |
|---|---|
-x / --scramble | Randomize the 23 internal SPT_* symbol names |
Scrambling defeats static signature matching in binary analysis. Each generation with -x produces different internal symbol names. The public Nt* function names are not scrambled.
Output
| Option | Description |
|---|---|
-o <path> | Output file path (extension will be appended automatically) |
If -o is omitted, the generated code is printed to stdout.
Gate (positional argument)
The gate selects the iterator and its default method. It is the last positional argument before any gate-specific options.
| Gate | Iterator | Default method |
|---|---|---|
hell | Hell's Gate | direct |
halo | Halo's Gate | direct |
tartarus | Tartarus' Gate | direct |
freshy | FreshyCalls | direct |
syswhispers | SysWhispers2 | indirect |
syswhispers3 | SysWhispers3 | random |
canterlot | Canterlot's Gate | random |
custom | User-chosen | User-chosen (see below) |
custom gate options
When using the custom gate, specify the iterator and method explicitly:
| Option | Values |
|---|---|
-i <iterator> | hell, halo, tartarus, freshy, syswhispers, syswhispers3, canterlot |
-m <method> | direct, indirect, random, egg_hunter |
Examples
# C header — Canterlot's Gate — common preset
sysplant generate -c -o syscalls canterlot
# NIM output — SysWhispers3 — three specific functions
sysplant generate -nim -f NtOpenProcess,NtWriteVirtualMemory,NtCreateThreadEx \
-o stubs syswhispers3
# C++ header — Halo's Gate — donut preset — scrambled symbols
sysplant generate -cpp -p donut -x -o donut_stubs halo
# Rust output — custom: canterlot iterator + egg_hunter method — all syscalls
sysplant generate -rust -p all -o full_stubs custom -i canterlot -m egg_hunter
# Print to stdout (no -o)
sysplant generate -c canterlot
# Scan for Nt* functions in a source tree
sysplant list ./implant/src
Real-world injection examples
Working injection examples (launching calc.exe as proof of concept) are provided in the example/ directory of the repository.
NIM
- Install winim and checksums:
nimble install winim checksums - Generate stubs:
sysplant generate -o example/syscall canterlot - Compile:
nim c -d=release -d=danger -d=strip --opt=size -d=mingw \ --app=console --cpu=amd64 --out=inject.exe example/inject.nim - Transfer
inject.exeto your Windows target.
C
- Install mingw-w64:
sudo apt install mingw-w64 - Generate stubs:
sysplant generate -c -o example/syscall canterlot - Compile:
x86_64-w64-mingw32-gcc -Wall -s -static -masm=intel \ example/inject.c -o inject.exe - Transfer
inject.exeto your Windows target.
C++
- Install mingw-w64:
sudo apt install mingw-w64 - Generate stubs:
sysplant generate -cpp -o example/syscall canterlot - Compile:
x86_64-w64-mingw32-g++ -Wall -s -static -masm=intel \ example/inject.cpp -o inject.exe - Transfer
inject.exeto your Windows target.
Rust
- Install cross-compilation toolchain:
rustup target add x86_64-pc-windows-gnu sudo apt install mingw-w64 - Generate stubs:
sysplant generate -rust -o example/rust-inject/src/syscall.rs canterlot - Compile:
cd example/rust-inject cargo build --release --target x86_64-pc-windows-gnu - Transfer the
.exefromtarget/x86_64-pc-windows-gnu/release/to your Windows target.