Skip to content

reveng007/ETW_patches_from_userMode_learned_till_now

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
compile.bat
compile.bat
 
 
patchETW.cpp
patchETW.cpp
 
 

Repository files navigation

ETW patches (from userMode) learned till now

Link:

  1. https://institute.sektor7.net/rto-win-evasion
  2. ntdll!NtTraceEvent (Syscall) : https://whiteknightlabs.com/2021/12/11/bypassing-etw-for-fun-and-profit/
  3. ntdll!EtwEventTrace : https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/
  4. https://pre.empt.dev/posts/maelstrom-etw-amsi/#Event_Tracing_for_Windows

Main Concept:

  1. Pasting ret opcode (c3 for x64) at the beginning of ntdll!EtwEventWrite function in order to skip the Security Check done by ntdll!__security_check_cookie.

Video link: https://drive.google.com/file/d/1XXlBqH6aF5ZRQM9MCz83NpGfCwtMvQFe/view?usp=sharing

  1. Pasting ret opcode (c3 for x64) at the beginning of ntdll!NtTraceEvent syscall (NOT touching ETW) in order to skip syscall from going into kernel, so loses the capability to write ETW events to the file system..

Video link: https://drive.google.com/file/d/1LikUb86L66A0PgZqIUi97nvn-T_et2CR/view?usp=sharing

More ETW patches:

  1. https://modexp.wordpress.com/2020/04/08/red-teams-etw/
  2. TamperETW: https://github.com/outflanknl/TamperETW/

About

ETW patches from userMode learned till now

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages