Giters

EvilBytecode / ETW-Bypass-Codepulze

Bypassing Event Tracing for Windows (ETW) in golang.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

etw-bypassetw-evasionetweventregisterevent-tracing-for-windowspentestingred-teamred-team-toolsred-teamingwin32win32apiwinapiwindows-10windows-11

GoCodepulzeETWKiller

  • Bypassing Event Tracing for Windows (ETW) in golang.

ETW-Bypass-Codepulze

  • A simple Go script that first checks if NtProtectVirtualMemory and NtAllocateVirtualMemory are hooked or not. Then it loads the ntdll.dll with LoadLibrary and gets the address of the function EtwEventWrite using GetProcAddress. Finally, it writes the patch bytes into the process.

Prepare :

  • go mod init codepulzeetwbypass
  • go get github.com/mszatanik/goloader/pkg/win32
  • go get golang.org/x/sys/windows
  • go build etwbypasscodepulze.go

Usage

.\etwbypasscodepulze.exe <pid>

(Without) Before Patch:

image

(After) Patch:

image

Showcase

image

About

Bypassing Event Tracing for Windows (ETW) in golang.

etw-bypassetw-evasionetweventregisterevent-tracing-for-windowspentestingred-teamred-team-toolsred-teamingwin32win32apiwinapiwindows-10windows-11

Languages

Language:Go 100.0%