Patching Event Tracing for Windows, by overwriting "call ntdll!EtwpEventWriteFull" inside ntdll!EtwEventWrite , the patched call do the actual Event Writing
etwpatching's Introduction
Patching ETW
Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.
ntdll!EtwEventWrite is responsible for writing an event , it's not actually the function that do the Event Writing job, by reversing it, we can see that it calls ntdll!EtwpEventWriteFull that do the actual Event Writing :
this call is done at offset (0x214 - 0x1f0 = 0x24) and it takes 5 bytes, the idea here is to write a program that identify 0xe8 the opcode of the call instruction and overwrite this call memory with 5 bytes , so that the call will never done