πŸ‰
Gurpreet06
  • πŸ‘€Introduction
    • ☠️About me
    • ☎️Contact
  • πŸ‘ΎOffsensive Security
    • ⛓️OSEP
    • πŸ‰OSCP
    • ♾️OSWP
  • πŸ—³οΈHack The Box
    • β›ˆοΈCPTS
  • 🐞Zero-Point Security
    • βš”οΈCRTO
    • ⛓️CRTL
  • πŸ§™β€β™€οΈAltered Security
    • πŸ•·οΈCRTP
    • ⛓️CRTE
  • πŸ”΄Extreme Red Team Laboratories
    • πŸ“¬Active Directory Chains - MailService
    • πŸ“¬Active Directory Chains - IFIXTCENTCEN
  • πŸ’§Sektor7
    • πŸ”Red Team Operator
  • πŸ“•eLearnSecurity
    • ⛓️eCPPTv2
    • πŸ““eJPT
  • 🧊Mikrotik
    • πŸ–₯️MTCNA
  • ☒️Antivirus Bypass
    • β›ˆοΈCrowdStrike Falcon
    • β›ˆοΈBit Defender Premium Antivirus
    • β›ˆοΈSophos Intercept X Antivirus
    • β›ˆοΈSophos Home Premium Antivirus
    • β›ˆοΈKaspersky Plus Protection
    • β›ˆοΈHarmony Checkpoint Security
    • β›ˆοΈWatchGuard Advanced EPDR
    • β›ˆοΈTrend Micro Maximum Security
    • β›ˆοΈESET Security Premium Antivirus
    • β›ˆοΈMalwarebytes Premium Antivirus
    • β›ˆοΈNorton 360
    • β›ˆοΈAVIRA Prime Antivirus
    • β›ˆοΈMcAfee Total Protection
    • β›ˆοΈQuick Heal Total Protection
  • πŸ‘¨β€πŸ’»PROJECTS
    • πŸ•΅οΈInfoSniper (Bypassing Antivirus)
    • 🦈PowerSSH
    • πŸ•΅οΈPyExec
    • β˜ƒοΈPyWMI
    • πŸ“­ShareHunter
    • πŸŒ†ShadowDesk
    • πŸ›‚C2Serv
    • ⛷️StealthInjector
    • πŸ¦‚StealthInvoke
    • πŸ—οΈAMSI Patcher (Bypassing Antivirus)
    • πŸ§–β€β™‚οΈRDP-Stealer
    • πŸ“ΈTakeScreenShot
    • πŸ”‘SharpKeyLogger
    • πŸ‘ΏHellCat (EDR-Escaper)
    • 🎫ETW Patcher (Bypassing Antivirus)
    • πŸ€–PRPT (Bypassing Antivirus)
    • 🌐What Internet Knows About You (OSINT)
    • πŸ”PowerShell SSL Reverse Shell
    • πŸ“ΆWiFi - Crack
    • ⚠️ICMP Data Exfiltration
Powered by GitBook
On this page
  1. PROJECTS

ETW Patcher (Bypassing Antivirus)

Bypassing Event Tracing for Windows (ETW) with CSharp

PreviousHellCat (EDR-Escaper)NextPRPT (Bypassing Antivirus)

Last updated 1 year ago

A simple C++ script that first checks if NtProtectVirtualMemory and NtAllocateVirtualMemory are hooked or not. Then it loads the ntdll.dll with LoadLibrary and gets the address of the function EtwEventWrite using GetProcAddress. Finally, it writes the patch bytes into the process.

Usage

  • Without ETW bypass.

  • With ETW bypass.

πŸ‘¨β€πŸ’»
🎫
GitHub - Gurpreet06/ETW-Patcher: Bypassing Event Tracing for Windows (ETW) with CSharpGitHub
Logo