Syscall Proxy is an open-source research project developed by TITAN Softwork Solutions with inspiration from MDSEC, SysWhisperer & Hellsgate.
This implements a stub-based internal syscall dispatcher which bypasses all usermode hooks and sidesteps lower level kernel API's (EDR/AC/AV evasion tech)
This project is powered by ActiveBreach, a dedicated syscall execution we built framework that:
- Dynamically extracts system service numbers (SSNs) from
ntdll.dll - Constructs syscall stubs for direct execution
- Uses a dispatcher model to invoke syscalls without routing through user-mode APIs
- Leverages a callback to prevent debugging.
For a deeper technical breakdown on why, see > TECH.md.
| Bypass | Description |
|---|---|
Global hooks on ntdll.dll |
Reads ntdll.dll directly into buffer, bypassing any API's monitoring lib loading. |
Remote process ntdll.dll hooks |
Uses internal ActiveBreach dispatcher instead of calling hooked ntdll.dll directly. |
| Partial YARA/CADA evasion | Minimizes ntdll.dll presence in memory by zeroing out portions. |
| Sidestep | Description |
|---|---|
| PsSetLoadImageNotifyRoutine | Loads ntdll.dll manually, avoiding kernel notifications (PsApi). |
| MmLoadSystemImage | Maps ntdll.dll manually, preventing system image load tracking. |
User Process
│
├──▶ CreateFile (Wrapper, kernel32.dll)
│ │
│ ▼
│ NtCreateFile (ntdll.dll) <─── [Hooked by AntiVirus/AntiCheat]
│ │
│ ▼
│ [Hook Handler] <─── (Monitoring, logging, blocking, etc...)
│ │
│ ▼
│ Kernel (Syscall) <─── (Actual system call after handling)
│
▼
Return
User Process
│
├──▶ ab_call("NtCreateFile") <─── (Not using "CreateFile" as ActiveBreach only supports Nt functions)
│ │
│ │
│ │
│ │
│ │
│ ▼
│ Kernel (Syscall) <─── (Direct system call without passing through `ntdll.dll`)
│
▼
Return
- C++ Projects:
IncludeActiveBreach.hppand link withActiveBreach.cpp:#include <ActiveBreach.hpp>
- C/C++ Universal Projects:
IncludeActiveBreach.hand link withActiveBreach.c:#include "ActiveBreach.h"
Call the initialization function before any syscalls:
- C++ Example (optional "LMK" prints a status message):
ActiveBreach_launch("LMK");
- C/C++ Example:
ActiveBreach_launch();
This function maps ntdll.dll, extracts syscall numbers, builds syscall stubs, and sets up the system.
Use the ab_call macro to invoke syscalls dynamically. You must supply:
- The NT function type
- The syscall name
- The required arguments
Example for NtQuerySystemInformation:
NTSTATUS status;
status = ab_call(NtQuerySystemInformation_t, "NtQuerySystemInformation", infoClass, buffer, bufferSize, &returnLength);(For C, the syntax is similar but might pass the status as an additional parameter.)
No manual cleanup is needed—resources are automatically released at program exit.
- Win11/10, x64
- MSVC, C++ 17/20
- Open
ActiveBreach.slnin Visual Studio. - Build the solution
ActiveBreach is a research project developed by TITAN Softwork Solutions and is licensed under:
You are free to:
✔ Share — Copy and redistribute this software in any format.
✔ Adapt — Modify and build upon it.
However:
❌ No Commercial Use — This software cannot be used in for-profit applications.
✔ Attribution Required — You must credit TITAN Softwork Solutions as the original creator.
✏ Modifications Must Be Documented — If you make changes, you must state what was modified.
Full License: CC BY-NC 4.0
We am not responsible for anything done with this code. It is provided under public domain and is free-use, what users do with this falls under their personal obligations. I do not condone unethical use of this project, you are liable for your own actions.