Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/evilbytecode/etw-patch

code snippet provided demonstrates how to patch the EtwEventWrite function in the ntdll.dll library on Windows using CGO (C Go).
https://github.com/evilbytecode/etw-patch

av-evasion etw etw-bypass etw-evasion etweventwrite evasion fud

Last synced: 26 days ago
JSON representation

code snippet provided demonstrates how to patch the EtwEventWrite function in the ntdll.dll library on Windows using CGO (C Go).

Host: GitHub
URL: https://github.com/evilbytecode/etw-patch
Owner: EvilBytecode
Created: 2024-06-25T09:20:39.000Z (7 months ago)
Default Branch: main
Last Pushed: 2024-06-27T06:42:34.000Z (7 months ago)
Last Synced: 2024-07-14T09:12:06.584Z (6 months ago)
Topics: av-evasion, etw, etw-bypass, etw-evasion, etweventwrite, evasion, fud
Language: Go
Homepage:
Size: 4.88 KB
Stars: 5
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # ETW-Patch



- This repository contains code that demonstrates how to patch the ```EtwEventWrite``` function from the ```ntdll.dll``` library on Windows using CGO. This technique modifies the behavior of ```EtwEventWrite``` by injecting custom assembly code that replaces the beginning of the function.

## How it works?

- Uses Windows API functions ```(GetModuleHandleA, GetProcAddress, VirtualProtect)``` to locate and modify the EtwEventWrite function in memory.

- Defines a byte sequence ```(0x33, 0xC0, 0xC3)``` that represents the assembly instructions ```(XOR EAX, EAX; RET)``` used to replace the beginning of the EtwEventWrite function. This effectively nullifies the function's effect, making it return immediately without performing its intended actions.