Bypass the Event Trace Windows(ETW) and unhook ntdll.
-
Updated
Sep 29, 2023 - C
Bypass the Event Trace Windows(ETW) and unhook ntdll.
Two in one, patch lifetime powershell console, no more etw and amsi!
A WIP shellcode loader tool which bypasses AV/EDR, coded in C++, and equipped with a minimal builder.
Event Tracing for Windows EDR bypass in Rust (usermode)
A proof of concept AMSI & ETW bypass using trampolines for hooking and modifying execution flow
code snippet provided demonstrates how to patch the EtwEventWrite function in the ntdll.dll library on Windows using CGO (C Go).
A BOF for patching AMSI, ETW and NtTraceEvent aka Sysmon using Trampolines
Bypassing Event Tracing for Windows (ETW) with CSharp
Loads a C# binary in memory within powershell profile, patching AMSI + ETW.
A proof of concept ETW consumer that captures userland events in real time, displays them, and saves them into an .etl file
Add a description, image, and links to the etw-evasion topic page so that developers can more easily learn about it.
To associate your repository with the etw-evasion topic, visit your repo's landing page and select "manage topics."