Windows Syscall SDK with dynamic offset resolution, validation, and obfuscation
Direct syscall access across Windows versions with ease
Features • Overview • Installation • Usage • Documentation • Considerations • Contributing • License • Disclaimer
- Direct Syscall Access: Bypass Windows API hooks by communicating directly with the NT kernel
- Dual Mode Operation: Single code-base delivers two static libraries:
- SysCaller – user-mode (
Nt/Sysprefix) - SysCallerK – kernel-mode (
Zw/SysKprefix)
- SysCaller – user-mode (
- Kernel Ready: Build the SysCallerK variant with the Windows Driver Kit (WDK) and VS22 Kernel Mode Driver toolset (VS 2022 supported)
- Dynamic Offset Resolution: Automatic syscall ID detection for compatibility across Windows versions
- Advanced Protection: Optional obfuscation layer to conceal syscall patterns and evade detection
- Comprehensive GUI Tools: Validate, verify, and protect syscalls through an intuitive interface
- Cross Version Compatible: Fully tested on Windows 10 and 11 (x64)
- Multi Language Support: Primary C++ implementation with planned bindings for Rust, GO, and more
SysCaller provides a thin abstraction layer over Windows NT system calls, allowing developers to:
- Bypass API Hooking: Access syscalls directly without relying on hooked user-mode DLLs
- Maximize Compatibility: Dynamically resolve syscall IDs to work across different Windows versions
- Enhance Security: Apply obfuscation techniques to prevent static analysis and detection
- Simplify Development: Use a consistent API for syscalls across user-mode and kernel-mode applications
The SDK implements hundreds of Windows NT native functions with proper type definitions and parameter validation, making low level programming more accessible.
- Windows 10+ (x64) operating system
- Visual Studio with MASM support (2019 or newer recommended)
- Python 3.8+ (for build tools)
-
Clone the repository
git clone https://github.com/WindowsAPI/SysCaller.git cd SysCaller -
Install Python dependencies
pip install -r requirements.txt
-
Run the BuildTools GUI
cd BuildTools python syscaller.py -
Run Integrity Checks
- In the GUI, click "Validation Check" to update syscall offsets
- Run "Compatibility Check" and "Verification Check" to ensure full compatibility
- Optionally run "Obfuscation" to add protection layer
- (NOTE: Obfuscation is still heavily experimental! Sometimes it doesnt work, and you have to generate a new
SysCaller.lib)
-
Build the User Mode library (SysCaller)
- Open
SysCaller.slnin Visual Studio - Select the SysCaller project
- Set Configuration to Release and Platform to x64
- Ensure the C++ standard is 17 or newer
- Build → Build SysCaller → produces
x64/Release/SysCaller.lib
- Open
-
Run Integrity Checks
- In the GUI, click "Validation Check" to update syscall offsets
- Run "Compatibility Check" and "Verification Check" to ensure full compatibility
- Optionally run "Obfuscation" to add protection layer
- (NOTE: Obfuscation is still heavily experimental! Sometimes it doesnt work, and you have to generate a new
SysCaller.lib)
-
Configure CMake
cd SysCaller/Wrapper -
Update C++ standard in CMakeLists.txt Open
CMakeLists.txtand set your C++ standard version (17, 20, or 23):set(CMAKE_CXX_STANDARD #CHANGEME) # Change to your required version
-
Build the library
mkdir build && cd build cmake .. -A x64 cmake --build . --config Release
The solution contains a second project named SysCallerK. To compile it you need the WDK components that come with the Kernel-Mode Driver workload.
- Install the WDK (during VS installation setup choose Windows Driver Kit or install the Kernel-Mode Driver, C++ workload).
- In
SysCaller.slnchange the Startup Project (or selection in Solution Explorer) to SysCallerK. - Select the
Release | x64configuration. - Run the GUI/BuildTools to your liking. (make sure Kernel Mode is selected under settings)
- Build → Build SysCallerK → produces
x64/Release/SysCallerK.lib.
⚠️ CMake for Kernel Mode coming soon. Also note Kernel Mode is still super experimental I suggest using VM to test any kernel implementations using SysCaller.
⚠️ Building kernel components usually requires driver signing certificates or disabling Secure Boot / Driver Signature Enforcement on the test machine. Follow the Microsoft Docs before loading code built with SysCallerK.
-
Add to your project
- Include the
Wrapper/includedirectory in your include paths - Add the path and input for
SysCaller.libto your linker dependencies
- Include the
-
Import the header
#include "syscaller.h"
-
Use syscalls directly
// user-mode syscall (Nt/Sys) NTSTATUS status = SysAllocateVirtualMemory( processHandle, &baseAddress, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE ); // kernel-mode syscall (Zw/SysK) NTSTATUS status = SysKAllocateVirtualMemory( processHandle, &baseAddress, 0, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );
#include "syscaller.h"
bool WriteToProcessMemory(HANDLE processHandle, PVOID targetAddress, PVOID data, SIZE_T size) {
SIZE_T bytesWritten;
// direct syscall to write memory - bypasses potential hooks in WriteProcessMemory
NTSTATUS status = SysWriteVirtualMemory(
processHandle,
targetAddress,
data,
size,
&bytesWritten
);
return NT_SUCCESS(status) && (bytesWritten == size);
}#include "syscaller.h"
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING path) {
SIZE_T regionSize = 0x1000;
PVOID base = nullptr;
NTSTATUS st = SysKAllocateVirtualMemory(
ZwCurrentProcess(),
&base,
0,
®ionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
return st;
}- For more examples look at the Examples repo.
The SysCaller GUI provides additional tools for working with syscalls:
- Stub Mapper: Create custom syscall mappings using predefined techniques to enhance obfuscation
- Hash Stubs: Create Hashes for each Assembly Stub + Build Config
- Hash Compare: Compare two or more files containing Stub Hashes
- Stub Craft: Design and validate custom syscall stubs manually (WIP)
- Settings: Configure global syscall behavior and protection options
- Windows NT Syscall Documentation
- Windows Kernel Reference
- Windows API Reference
- Windows NT Reference
For comprehensive documentation and guides, check out the SysCaller Wiki.
The full API documentation is available in the header files:
Wrapper/include/syscaller.h- Main SDK headerWrapper/include/Sys/sysFunctions.h- Syscall function declarationsWrapper/include/Sys/sysTypes.h- Windows NT type definitionsWrapper/include/Sys/sysExternals.h- External function references
SysCaller is intended for educational and legitimate security research. When using this library:
- Ensure proper error handling for all syscalls
- Be aware that direct syscalls may bypass security mechanisms
- Test thoroughly in controlled environments before deployment
Contributions to SysCaller are welcome! Please feel free to submit pull requests, create issues, or suggest new features.
If you've cloned or are enjoying this project, please consider ⭐ it on GitHub to help others discover SysCaller!
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
- Educational Purpose: SysCaller is created for educational and research purposes.
- Legitimate Use: While the library can be used to bypass certain security mechanisms, it is intended for legitimate security research, penetration testing, and software development.
- No Liability: The authors are not responsible for any misuse of this library or any actions taken with it.
- Legal Compliance: Users must ensure they comply with all applicable laws and regulations when using this software.
SysCaller - Bridging the gap between user mode and kernel mode