Comprehensive Windows Syscall Extraction & Analysis Framework
Discover every syscall. Resolve every parameter. Map the undocumented.
If you find this research valuable, I'd appreciate a coffee:
Important: This project is in early development. While functional and tested on multiple systems, it certainly has bugs and edge cases that haven't been discovered yet. I'm actively working on improvements and welcome feedback! Despite its early stage, I hope NTSleuth proves helpful for your Windows internals research and reverse engineering projects.
Please report any issues you encounter - your feedback helps make this tool better for everyone!
NTSleuth is an advanced Windows syscall extraction and analysis framework that automatically discovers, documents, and analyzes system calls across all Windows architectures. It's a comprehensive reverse engineering tool that provides deep insights into Windows internals with high accuracy.
- 2,400+ Syscalls Extracted - Complete coverage of ntdll.dll and win32u.dll
- 1,100+ Function Signatures - Integrated PHNT database from System Informer
- 3 Architectures Supported - Native ARM64, x64, and x86 analysis
- 100% Automated - From extraction to parameter resolution
- < 4 Second Extraction - Lightning-fast analysis engine
- Multi-Architecture Disassembly - ARM64 (SVC), x64 (SYSCALL), x86 (INT 2E/SYSENTER)
- Complete Module Coverage - ntdll.dll, win32u.dll, and WOW64 variants
- Stub Analysis - Extracts and analyzes syscall stub bytes
- Alias Detection - Identifies Nt/Zw function relationships
- True Syscall Verification - Distinguishes actual syscalls from regular exports
- PHNT Database Integration - 1,100+ authoritative function signatures
- SAL Annotation Support - Complete In, Out, Inout, opt preservation
- Multi-Method Resolution:
- Primary: PHNT database lookup
- Secondary: Pattern-based matching
- Tertiary: Assembly code analysis
- Quaternary: Heuristic inference
- Quinary: Cross-reference learning
- Confidence Scoring - Reliability ratings for each resolution (0.0-1.0)
- JSON Export - Structured data with complete metadata
- C/C++ Headers - Ready-to-use header files with prototypes
- Interactive Lookup - Query individual syscalls with rich formatting
- Documentation Links - Direct references to ntdoc.m417z.com
- Symbol Resolution - Automatic PDB download from Microsoft Symbol Server
- Local Caching - Intelligent cache management for symbols and PHNT data
- Offline Mode - Works without internet after initial cache population
βββ ββ ββββββββ βββββββ ββ βββββββ ββ ββ ββββββββ ββ ββ
ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
ββ ββ ββ ββ βββββββ ββ βββββ ββ ββ ββ βββββββ
ββ ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
ββ βββ ββ βββββββ βββββββ βββββββ ββββββ ββ ββ ββ
+===================================================================+
| Windows Syscall Extraction & Automated Parameter Resolution Tool |
| ARM64 | x64 | x86 Syscall Analysis |
| v1.0.0 by Alexander Hagenah β’ @xaitax |
+===================================================================+
[*] INITIALIZATION
[+] Initializing NtSleuth Engine...
[+] Output directory: output
[+] Symbol cache: cache\symbols
[*] PARAMETER DATABASE
[+] Loading PHNT database for parameter resolution...
[+] PHNT database initialized with 1109 function signatures
[*] SYSCALL EXTRACTION
[+] Extracting syscalls from system modules...
[*] PARAMETER RESOLUTION
[+] Resolving parameters from PHNT database...
[+] Resolved parameters for 1103 syscalls from PHNT
[*] EXTRACTION RESULTS
> System Information
* Target OS: 10.0.26220.5770 (ARM64)
* Build: 26220.5770
> Syscall Statistics
* Total syscalls found: 2461
-> ntdll.dll: 978 total
-> win32u.dll: 1483 total
> Performance Metrics
* Extraction time: 402 ms
[*] SAVING RESULTS
[+] JSON output saved to: output/syscalls.json
[+] C header saved to: output/syscalls.h
NTSleuth has successfully extracted all syscalls!
Happy hunting!
Download the latest release for your architecture from the release page.
Note: Binaries are statically linked and don't require Visual C++ Redistributables
- Windows 10/11 (any architecture)
- Visual Studio 2019+ with C++ workload
- CMake 3.20+
git clone https://github.com/xaitax/NTSleuth.git
cd NTSleuth
build.batmkdir build && cd build
cmake .. -G "Visual Studio 17 2022" -A x64
cmake --build . --config Release# Extract all syscalls with default settings
ntsleuth.exe
# Extract with full parameter resolution
ntsleuth.exe --auto-params
# High-confidence parameter resolution only
ntsleuth.exe --auto-params --param-confidence 0.9# Query specific syscall information
ntsleuth.exe --lookup NtCreateProcessExample Output:
βββ ββ ββββββββ βββββββ ββ βββββββ ββ ββ ββββββββ ββ ββ
ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
ββ ββ ββ ββ βββββββ ββ βββββ ββ ββ ββ βββββββ
ββ ββββ ββ ββ ββ ββ ββ ββ ββ ββ ββ
ββ βββ ββ βββββββ βββββββ βββββββ ββββββ ββ ββ ββ
+===================================================================+
| Windows Syscall Extraction & Automated Parameter Resolution Tool |
| ARM64 | x64 | x86 Syscall Analysis |
| v1.0.0 by Alexander Hagenah β’ @xaitax |
+===================================================================+
======================================================================
SYSCALL INFORMATION: NtCreateProcess
======================================================================
[Module] ntdll.dll
[Number] 0xC0 (192)
[RVA] 0x1C40
[Return Type] NTSTATUS
[Convention] stdcall
[Is Syscall] Yes
[Parameters]
----------------------------------------------------------------------
[0] PHANDLE ProcessHandle [_Out_]
[1] ACCESS_MASK DesiredAccess [_In_]
[2] PCOBJECT_ATTRIBUTES ObjectAttributes [_In_opt_]
[3] HANDLE ParentProcess [_In_]
[4] BOOLEAN InheritObjectTable [_In_]
[5] HANDLE SectionHandle [_In_opt_]
[6] HANDLE DebugPort [_In_opt_]
[7] HANDLE TokenHandle [_In_opt_]
[Function Signature]
----------------------------------------------------------------------
NTSTATUS stdcall NtCreateProcess(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes,
_In_ HANDLE ParentProcess,
_In_ BOOLEAN InheritObjectTable,
_In_opt_ HANDLE SectionHandle,
_In_opt_ HANDLE DebugPort,
_In_opt_ HANDLE TokenHandle
);
[Stub Bytes] (first 32 bytes)
----------------------------------------------------------------------
01 18 00 d4 c0 03 5f d6 00 00 00 00 00 00 00 00
21 18 00 d4 c0 03 5f d6 00 00 00 00 00 00 00 00
[Documentation]
----------------------------------------------------------------------
https://ntdoc.m417z.com/ntcreateprocess
(Detailed parameter documentation and usage examples)
======================================================================
| Option | Description |
|---|---|
--auto-params |
Enable advanced parameter resolution |
--param-confidence <n> |
Set minimum confidence (0.0-1.0) |
--no-ntdll |
Skip ntdll.dll extraction |
--no-win32u |
Skip win32u.dll extraction |
--wow64 |
Extract WOW64 (32-bit) syscalls |
--no-symbols |
Skip symbol download |
--no-cache |
Disable cache usage |
--format <type> |
Output format: json, header, both |
--lookup <name> |
Query specific syscall |
--clear-cache |
Clear all caches |
-v, --verbose |
Enable verbose logging |
Complete syscall metadata with full fidelity:
{
"calling_convention": "stdcall",
"is_true_syscall": true,
"module": "ntdll.dll",
"name": "NtCreateProcessEx",
"parameters": [
{
"is_const": false,
"is_input": false,
"is_optional": false,
"is_output": true,
"is_pointer": true,
"name": "ProcessHandle",
"sal_annotation": "_Out_",
"type": "PHANDLE"
},
{
"is_const": false,
"is_input": true,
"is_optional": false,
"is_output": false,
"is_pointer": false,
"name": "DesiredAccess",
"sal_annotation": "_In_",
"type": "ACCESS_MASK"
},
{
"is_const": false,
"is_input": true,
"is_optional": true,
"is_output": false,
"is_pointer": true,
"name": "ObjectAttributes",
"sal_annotation": "_In_opt_",
"type": "PCOBJECT_ATTRIBUTES"
},
{
"is_const": false,
"is_input": true,
"is_optional": false,
"is_output": false,
"is_pointer": false,
"name": "ParentProcess",
"sal_annotation": "_In_",
"type": "HANDLE"
},
{
"is_const": false,
"is_input": true,
"is_optional": false,
"is_output": false,
"is_pointer": false,
"name": "Flags",
"sal_annotation": "_In_",
"type": "ULONG"
},
{
"is_const": false,
"is_input": true,
"is_optional": true,
"is_output": false,
"is_pointer": false,
"name": "SectionHandle",
"sal_annotation": "_In_opt_",
"type": "HANDLE"
},
{
"is_const": false,
"is_input": true,
"is_optional": true,
"is_output": false,
"is_pointer": false,
"name": "DebugPort",
"sal_annotation": "_In_opt_",
"type": "HANDLE"
},
{
"is_const": false,
"is_input": true,
"is_optional": true,
"is_output": false,
"is_pointer": false,
"name": "TokenHandle",
"sal_annotation": "_In_opt_",
"type": "HANDLE"
},
{
"is_const": false,
"is_input": false,
"is_optional": true,
"is_output": false,
"is_pointer": false,
"name": "Reserved",
"sal_annotation": "_Reserved_",
"type": "ULONG"
}
],
"return_type": "NTSTATUS",
"rva": 5392,
"stub_bytes": "a10900d4c0035fd60000000000000000c10900d4c0035fd60000000000000000",
"syscall_number": 77
},Ready-to-compile header with all syscall definitions:
// Auto-generated by NTSleuth v1.0.0
// Total syscalls: 2461
#ifndef _SYSCALLS_H_
#define _SYSCALLS_H_
// Syscall numbers for ntdll.dll
#define SYSCALL_NUMBER_NTCREATEPROCESSEX 0x4D
/* Syscall #0x4D */
typedef NTSTATUS (NTAPI *pfnNtCreateProcessEx)(
PHANDLE* ProcessHandle,
ACCESS_MASK DesiredAccess,
PCOBJECT_ATTRIBUTES* ObjectAttributes,
HANDLE ParentProcess,
ULONG Flags,
HANDLE SectionHandle,
HANDLE DebugPort,
HANDLE TokenHandle,
ULONG Reserved
);
// ... continues for all syscalls
#endif // _SYSCALLS_H_- Language: C++20 with modern STL
- Disassembler: Zydis (multi-architecture support)
- JSON: nlohmann/json
- Build System: CMake 3.20+
- CI/CD: GitHub Actions
- Module Loading - Loads target system libraries (ntdll.dll, win32u.dll)
- Export Enumeration - Enumerates all exported functions
- Disassembly - Analyzes function prologues for syscall instructions
- Number Extraction - Extracts syscall numbers from instruction operands
- Symbol Resolution - Downloads and parses PDB files for metadata
- PHNT Integration - Matches functions with PHNT database entries
- Parameter Resolution - Multi-method parameter type inference
- Output Generation - Formats data as JSON/C headers
Contributions are always welcome!
BSD 3-Clause License - see LICENSE for details.
- System Informer - PHNT headers
- Zydis - Disassembly engine
- ntdoc.m417z.com - Syscall documentation
- Windows Internals Community - Research and knowledge
If you find NTSleuth useful, please consider giving it a star! It helps others discover the tool.
Built with β€οΈ for the Windows internals community
"Mapping the undocumented, one syscall at a time"