Import Table Reconstructor powered by SysCaller (Scylla rebuild)
Allycs is a modernized Scylla rebuild using SysCaller for native syscall powered PE import reconstruction. It avoids traditional API hooks by directly invoking syscalls, making it useful for stealthy dumping.
Whats new:
- (SysCaller only supports x64)
- Native syscall usage (WinAPI-less execution)
- Added "Dont Compact Raw Data"
- Removed alot of bloat
- Powered by SysCaller SDK
Ensure you have C++20 toolset enabled.
You will need to build SysCaller with the proper syscalls, more info below.
Install vcpkg if not already installed, then run:
vcpkg install distorm:x64-windows-static tinyxml2:x64-windows-static wtl:x64-windows-static
-
Clone and open SysCaller via PY BuildTools first
-
Ensure the following syscall stubs are selected under the Integrity Tab:
SysAllocateVirtualMemoryEx
SysClose
SysCreateSection
SysCreateThreadEx
SysDuplicateObject
SysFreeVirtualMemory
SysGetContextThread
SysMapViewOfSection
SysOpenProcess
SysOpenSymbolicLinkObject
SysOpenThread
SysProtectVirtualMemory
SysQueryInformationFile
SysQueryInformationProcess
SysQueryInformationThread
SysQueryObject
SysQuerySymbolicLinkObject
SysQuerySystemInformation
SysQueryVirtualMemory
SysResumeProcess
SysResumeThread
SysSetContextThread
SysSetInformationThread
SysSuspendProcess
SysSuspendThread
SysTerminateProcess
SysUnmapViewOfSection
SysWriteVirtualMemory
-
After that run the Validation/Compatibility checks.
-
Important: Use only the default (non obfuscated) stubs in Release mode. Obfuscated stubs currently work only in Debug mode, due to unresolved configuration conflicts in Allycs.
-
Now open SysCaller.sln via Visual Studio 2022
-
Set build to
Releaseif using default stubs,Debugif using obfuscated stubs, and C++ standard to C++20 (If not already) -
Build the project to generate
SysCaller.lib
-
Copy the built files from SysCaller into Allycs:
SysCaller.lib → sdk/SysCaller/lib SysFunctions.h → sdk/SysCaller/include/Sys
- Open
Allycs.slnin Visual Studio 2022 - Set to
x64&ReleaseMode if not already - Build the
Allycsproject - Output binary:
build\x64\Release\Allycs.exe
Run Allycs and have fun! Enjoy this modern rebuild of Scylla with Syscalls.
If you want to integrate Allycs into x64dbg, you’ll need to modify x64dbg to call Allycs instead of Scylla. (After doing so follow along below)
- Open the Allycs project in Visual Studio 2022
- In the project settings:
- Change the output type from Console Application to Dynamic Link Library
- Set
Configuration TypetoDynamic Library (.dll)
Create a new file in your project root named:
- allycs_export_definitions.def
LIBRARY Allycs
EXPORTS
DumpProcessW @ 1
AllycsDumpCurrentProcessW @2
AllycsDumpCurrentProcessA @3
AllycsDumpProcessW @4
AllycsDumpProcessA @5
AllycsRebuildFileW @6
AllycsRebuildFileA @7
AllycsVersionInformationW @8
AllycsVersionInformationA @9
AllycsVersionInformationDword @10
AllycsStartGui @11
AllycsIatSearch @12
AllycsIatFixAutoW @13
-
Right click the Allycs project > Properties
-
Navigate to: Linker > Input
-
Set the Module Definition File to:
allycs_export_definitions.def
- Build the DLL. Now you can now load Allycs.dll from x64dbg in place of Scylla.dll!
This project is licensed under GNU General Public License v3.0 — see LICENSE for details.
Allycs is intended strictly for educational and research use.
The author assumes no responsibility for any misuse or damage caused by this software.
Built on the foundation of Scylla. Reinforced with native syscalls.