⚠️ Private Research Phase — This repository documents an active security research project focused on Windows NT internals.
Read the Legal Disclaimer before proceeding.
Artemis is a low-level, modular offensive security framework written in C and x86/x64 Assembly, purpose-built for Windows NT internals research. It operates as a Syscall Forge — automating the generation of system call stubs that execute entirely below the user-mode API layer, rendering conventional EDR hook-based telemetry blind.
The framework is built around three isolated engines, each wired through a single shared header:
| Engine | Role | Description |
|---|---|---|
| Hunter | SSN Discovery | Resolves System Service Numbers from a compiled, build-specific 14,869-entry database |
| Blacksmith | Stub Forge | Generates MASM-ready .asm stubs for direct or indirect syscall invocation |
| Crypto Vault | Stub Encryption | Secures shellcode stubs against memory scanners using XOR, Rolling XOR, and RC4 |
artemis/
├── assets/ # Visual branding and icons (.ico, .png)
├── bin/ # Compiled release binaries
├── include/ # Shared headers — structs, enums, ANSI color definitions
├── output/ # Generated stubs and encrypted header files
├── src/
│ ├── core/ # CLI logic, help system, and interactive UI
│ ├── database/ # SSN lookup engine and database routines
│ ├── engine/ # Stub forge and cryptographic forge implementations
│ └── main.c # Entry point and integrity audit
└── templates/ # Stub and payload output templates
Resolves the correct System Service Number for any NT API function by querying a compiled, build-specific database.
- Coverage: Windows 10 / 11 — builds 10240 through 26100
- Matching: Fully case-insensitive on API name, OS build, and target architecture
Generates MASM-ready .asm files for direct inclusion in Windows projects.
- Direct Mode: Executes the
syscallinstruction inline — bypasses all user-mode hooks - Indirect Mode: Jumps to an unhooked
syscallgadget inntdll.dll, spoofing the call stack return address
Secures generated stubs against memory scanners and static analysis using four native cipher implementations:
- XOR / Multi-byte XOR
- Rolling XOR
- RC4 Stream Cipher
Requirements: GCC and windres via MinGW.
# 1. Compile the icon resource
windres src/resources.rc -o assets/resources.o
# 2. Build the production binary
gcc src/main.c src/core/*.c src/database/lookup.c src/engine/generator.c \
assets/resources.o -o bin/artemis.exe \
-I include -lshell32 -lole32 -luser32 -lntdll -O2 -sShell> ssn -api NtOpenProcess -build 22621 -arch x64
[+] SUCCESS: SSN for NtOpenProcess is 0x0026
Shell> forge -api NtOpenProcess -build 22621 -mode indirect -enc rc4 -key S3cr3t
[*] Forging encrypted shellcode stub for NtOpenProcess...
[+] Forge complete: output/NtOpenProcess_crypt.h
| Status | Feature | Description |
|---|---|---|
| ✅ Complete | SSN Discovery | Dynamic resolution across 14,869 database entries |
| ✅ Complete | Stub Synthesis | Direct and indirect syscall stub generation |
| ✅ Complete | Crypto Vault | XOR, Rolling XOR, and RC4 encryption modules |
| 🔄 In Progress | Batch Forge | Process multiple APIs in a single command |
| 🔄 In Progress | Weaponization | Template-based artifact generation |
| ⏳ Planned | Stack Spoofing | Synthetic call stack construction for evasion |
This framework is developed exclusively for authorized penetration testing, security research in controlled environments, and academic study of Windows NT internals.
Deploying this tool or any output it generates against systems you do not own or have explicit written authorization to test is a criminal offense under applicable law. The author accepts no liability for misuse or any resulting damages.
Piyusha Akash — 0x3xp