> Windows Syscalls
Back to blog

Welcome — direct syscalls 101

Why direct syscalls matter, what an SSN is, and how Hell's Gate resolves them at runtime.

Published on 2026-05-20·1 min readintrosyscallsntdll

When a Windows process calls VirtualAllocEx, the call passes through kernel32.dll, then ntdll.dll's NtAllocateVirtualMemory, which executes a syscall instruction with the System Service Number (SSN) loaded into eax. The kernel reads eax, looks up the routine in KiServiceTable, and dispatches.

EDR products typically hook the user-mode ntdll exports. A direct syscall skips that hook by issuing the syscall instruction from your own code with the right SSN.

NtAllocateVirtualMemory:
    mov r10, rcx
    mov eax, 0x18      ; SSN on Win10 1909+
    syscall
    ret

The hard part is that the SSN changes between Windows builds. Three common solutions:

  1. Hardcode per build — fragile.
  2. Hell's Gate — at runtime, read the first bytes of ntdll!NtAllocateVirtualMemory and extract the mov eax, imm32 SSN.
  3. Halo's Gate — fallback when ntdll itself is hooked: walk neighbour syscalls to derive the missing SSN.

Browse the syscall reference to see per-build SSNs for every documented Nt* call.