- Bypassing Event Tracing for Windows (ETW) in golang.
- A simple Go script that first checks if
NtProtectVirtualMemory
andNtAllocateVirtualMemory
are hooked or not. Then it loads thentdll.dll
with LoadLibrary and gets the address of the functionEtwEventWrite
using GetProcAddress. Finally, it writes the patch bytes into the process.
go mod init codepulzeetwbypass
go get github.com/mszatanik/goloader/pkg/win32
go get golang.org/x/sys/windows
go build etwbypasscodepulze.go
.\etwbypasscodepulze.exe <pid>