Direct Windows Syscalls. Dynamic offsets. Validation. Obfuscation.
Bypass user mode hooks and work across Windows versions with a single SDK.
Features • Install • Usage • BuildTools • Docs • Contribute • License
- Direct Syscall Access: Bypass Windows API hooks by calling NT kernel syscalls directly.
- Dual Mode: Single codebase, two static libraries:
SysCaller(user mode,Nt/Sysprefix)SysCallerK(kernel mode,Zw/SysKprefix)
- Dynamic Offset Resolution: Automatically detects syscall IDs for compatibility across Windows 10/11 (x64).
- Obfuscation Layer: Optional, randomized stub generation and anti pattern junk for stealth.
- Comprehensive GUI: Validate, verify, and protect syscalls with a modern interface.
- Multi Language Ready: Official bindings and examples for C, Rust, Python, and Go. Easily extendable to more languages.
- Modular Build System: Visual Studio (MASM) and CMake support.
SysCaller is now not just for C++! The SDK now provides official bindings and ready to use DLL injection examples for:
- C++ (C++ Example)
- C (C Example)
- C# (C# Example)
- Rust (Rust Example)
- Nim (Nim Example)
- Python (Python Example)
- Go (Go Example)
Each example demonstrates direct DLL injection using the SysCaller API, with full source and build instructions in each language’s folder. These are bare minimum examples meant to show simple usage, now you can expand syscalls and methodology.
Want to add support for another language? PRs and suggestions are welcome!
- Features
- Installation
- How to Build and Use Bindings (All Languages)
- Usage
- SysCaller BuildTools
- Documentation
- Contributing
- License
- Disclaimer
- Windows 10 or 11 (x64)
- Visual Studio 2019+ (with MASM)
- Python 3.8+ (for build tools)
# Clone the repo
$ git clone https://github.com/micREsoft/SysCaller.git
$ cd SysCaller
# Install Python dependencies
$ pip install -r requirements.txt
# Launch the BuildTools GUI
$ cd BuildTools
$ python syscaller.py- Use the GUI to run Validation, Compatibility, and Verification checks.
- Optionally enable Obfuscation (experimental).
- Open
SysCaller.slnin Visual Studio - Select the SysCaller project
- Set configuration to
Release | x64 - Build via GUI → Build SysCaller → outputs
x64/Release/SysCaller.lib
- Install the Windows Driver Kit (WDK)
- In
SysCaller.sln, select SysCallerK - Set configuration to
Release | x64 - Build via GUI → Build SysCallerK → outputs
x64/Release/SysCallerK.lib
Note: Kernel mode is experimental. Use a VM for testing. Driver signing or Secure Boot off may be required.
# Run integrity checks in the GUI first
$ cd SysCaller/Wrapper
# Edit CMakeLists.txt to set your C++ standard (17/20/23)
$ mkdir build && cd build
$ cmake .. -A x64
$ cmake --build . --config ReleaseNote: CMake script for Kernel mode does not exist, but it is planned.
To use SysCaller from C, C++, Rust, Python, Go, or any other language that supports C bindings, follow these steps:
-
Launch the BuildTools GUI:
cd BuildTools python syscaller.py -
Enable Bindings:
- Go to the Settings tab in the GUI.
- Enable the Bindings option.
- Adjust any other settings you want (select syscalls, enable obfuscation, etc).
-
Run Validation:
- In the GUI, run the Validation tool.
- This will generate a
SysCaller.deffile inSysCaller/Wrapper/.
-
Build the DLL:
- Add
Wrapper/SysCaller.defto your module definitions in your build system. - Build the SysCaller project as a DLL (
SysCaller.dll).
- Add
-
Use in Your Language of Choice:
- Follow the language specific README in
Bindings/Examples/<language>/for how to use the DLL in C, Rust, Python, Go, etc.
- Follow the language specific README in
Tip:
The language example folders contain minimal working injectors and build instructions for each language. Expand from there for your own projects!
- Include headers:
- Add
Wrapper/includeto your include paths - Link against
SysCaller.lib(user) orSysCallerK.lib(kernel)
- Add
- Import the main header:
#include "syscaller.h"
- Call syscalls directly:
// User mode example NTSTATUS status = SysAllocateVirtualMemory( processHandle, &baseAddress, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Kernel mode example NTSTATUS status = SysKAllocateVirtualMemory( ZwCurrentProcess(), &base, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
#include "syscaller.h"
bool WriteToProcessMemory(HANDLE processHandle, PVOID targetAddress, PVOID data, SIZE_T size) {
SIZE_T bytesWritten;
NTSTATUS status = SysWriteVirtualMemory(
processHandle, targetAddress, data, size, &bytesWritten);
return NT_SUCCESS(status) && (bytesWritten == size);
}Note: For more usage demos & examples checkout Examples!
SysCaller includes a full featured BuildTools GUI with capabilities like:
| Tool | Description |
|---|---|
| Validation | Updates syscall offsets, checks for missing/invalid stubs |
| Compatibility | Analyzes syscall compatibility across Windows versions |
| Verification | Checks return/parameter types, offset ranges, and header consistency |
| Obfuscation | Randomizes names/offsets, adds junk instructions for stealth, and more |
| Stub Mapper | Custom obfuscation and mapping for individual syscalls |
| Hash Compare | Compare stub hashes across builds/files |
| Global Profile | Import/Export SysCaller profiles via .ini config |
| Settings | Configure global syscall and protection options |
- All tools are accessible via the BuildTools GUI (
python syscaller.pyinBuildTools/).
- SysCaller Wiki
- SysCaller Nt Usage
- SysCaller Zw Usage
- Windows NT Syscall Reference
- Windows Kernel Docs
Pull requests, issues, and feature suggestions are welcome! Please:
- Read the CONTRIBUTING.md
- Follow the GPLv3 license
- Use issues for bug reports and feature requests
- See the Wiki for contribution guidelines
If you find SysCaller useful, consider starring the repo to help others discover it.
SysCaller is licensed under the GNU General Public License v3.0. See LICENSE for details.
Educational Use Only: SysCaller is for research and educational purposes. Use responsibly and legally.
No Warranty: The authors are not liable for misuse or damages. Always test in controlled environments.
SysCaller — Bridging the gap between user mode and kernel mode