A small modification to SysWhispers2 to use a trampoline for syscalls. Functions are renamed here SW2 -> SWT. It uses IsModulePresent/GetFunctionAddress from DarkLoadLibrary code (or VX-API).

SWT.c

// add this to syscalls.h
extern PVOID SWT_Trampoline;

VOID SWT_ResolveTrampoline();
// add this to syscalls.c
PVOID SWT_Trampoline;

VOID SWT_ResolveTrampoline()
{
    HMODULE ntdllModule = IsModulePresent(L"ntdll.dll");
    CHAR syscallret_bytecode[3] = {0x0F, 0x05, 0xC3};
    unsigned char sNtAcc[] = {'P', 'i', 'c', 'k', 0x0}; // pick a NTDLL function here
    for (LPVOID ntdll_cursor = GetFunctionAddress(IsModulePresent(L"ntdll.dll"), sNtAcc);;ntdll_cursor++) {
        if (strncmp(ntdll_cursor, syscallret_bytecode, 3) == 0) {
            SWT_Trampoline = ntdll_cursor;
            break;
        }
    }

}
// add this to BOOL SWT_PopulateSyscallList() after the SWT_SyscallList.Count check
SWT_ResolveTrampoline();
// modify the .asm stubs like this (NASM format)
extern SWT_Trampoline

NtProtectVirtualMemory:
	mov [rsp +8], rcx          ; Save registers.
	mov [rsp+16], rdx
	mov [rsp+24], r8
	mov [rsp+32], r9
	sub rsp, 28h
	mov ecx, 0079D1B09h        ; Load function hash into ECX.
	call SWT_GetSyscallNumber  ; Resolve function hash into syscall number.
	add rsp, 28h
	mov rcx, [rsp +8]          ; Restore registers.
	mov rdx, [rsp+16]
	mov r8, [rsp+24]
	mov r9, [rsp+32]
	mov r10, rcx
	mov r11, SWT_Trampoline
	jmp [r11]                    ; Invoke system call.