Skip to content

SolitudePy/Stealthy-ETW-Patch

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.github/workflows
.github/workflows
 
 
images
images
 
 
src
src
 
 
README.md
README.md
 
 

Repository files navigation

Stealthy ETW Patch

A proof-of-concept tool that demonstrates ETW (Event Tracing for Windows) evasion by patching the EtwpEventWriteFull internal function in memory. This technique prevents ETW from logging events by making the function return immediately.

Technique Overview

The tool works by:

  1. Locating ntdll.dll in memory
  2. Finding the EtwEventWriteTransfer or any other function that uses EtwpEventWriteFull using GetProcAddress
  3. Searching for the internal call to EtwpEventWriteFull and calculates it's address like that:
baseAddressOfExportedFunction + i(call instruction offset) + 5(call instruction with argument) + relativeOffset(call argument)
  1. Patching at found address with an early RET instruction (0xC3)

Compilation

gcc .\stealthy_etw_patch.c -o .\stealthy_etw_patch.exe -ldnsapi

Usage

Run the compiled executable with administrator privileges:

.\stealthy_etw_patch.exe

example

The program also test the technique by using DnsQuery_A which can later be examined using the Microsoft-Windows-DNS-Client ETW provider (e.g Sysmon)

Knowledge

Main ETW functions using internal EtwpEventWriteFull function

etweventwritetransfer etweventwrite xref

About

ETW Bypass by patching main ETW internal function

Topics

c windows etw-bypass

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v1.0.3 Latest
May 7, 2025
+ 1 release

Packages

No packages published

Languages