Bypass the Event Trace Windows(ETW) and unhook ntdll.
_______ _______ _ _______ _________
( ____ \|\ /|( ____ \| \ /\( ____ \\__ __/|\ /|
| ( \/| ) ( || ( \/| \ / /| ( \/ ) ( | ) ( |
| (__ | | | || | | (_/ / | (__ | | | | _ | |
| __) | | | || | | _ ( | __) | | | |( )| |
| ( | | | || | | ( \ \ | ( | | | || || |
| ) | (___) || (____/\| / \ \| (____/\ | | | () () |
|/ (_______)(_______/|_/ \/(_______/ )_( (_______)
[v1.0]
[i] Hooked Ntdll Base Address : 0x00007FFA9A110000
[i] Unhooked Ntdll Base Address: 0x00007FF7C970F000
[+] PID Of The Current Proccess: [1956]
[#] Ready For ETW Patch.
[+] Press <Enter> To Patch ETW ...
[+] ETW Patched, No Logs No Crime !
- Displays a banner and initializes variables.
- Opens the ntdll.dll file using
CreateFileA. - Creates a file mapping using
CreateFileMappingAwith thePAGE_READONLYandSEC_IMAGEflags. - Maps the file into memory using
MapViewOfFile. - Calls the
UnhookNTDLLfunction to unhook the Ntdll.dll library. - Displays the address of the unhooked Ntdll base.
- Cleans up the mapped file and handles.
- Displays the current process ID and waits for user input.
- Calls the
FuckEtwfunction to patch the ETW. - Displays a message indicating that the ETW has been patched.