Proof of concept tool that monitors kernel events (image loads, process creation, thread creation) and identifies anomalous absences in corresponding ETW telemetry. When system activity occurs without expected ETW events, IE ETW Patching.
It has one very obvious bypass in that you could hook EtwWriteEvent or NtTraceEvent and just modify some of the event data and send it on it's way. Possible work around for that would be to create a database of events that should exist hash any that can be hashed and match against them from the ETW consumeer.
Whilst this is effective at detecting ETW patching it does have some FPs still, the analysis could be improved significantly.
FPs generally are processes that spend a lot of time waiting, increasing the time between analysis or even logging the last X cycles or something could be better.
- Administrative privileges on the system
- Secure boot disabled
- Driver test signing enabled
- CMake
- MSVC 2022 (2026 isn't compatible with drivers currently)
- Virtual Machine - a must, this is a PoC.
Generate build files
> mkdir build
> cd build
build> cmake ..
-- Building for: Visual Studio 18 2026
-- Selecting Windows SDK version 10.0.26100.0 to target Windows 10.0.26200.
-- The C compiler identification is MSVC 19.50.35725.0
-- The CXX compiler identification is MSVC 19.50.35725.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files/Microsoft Visual Studio/18/Community/VC/Tools/MSVC/14.50.35717/bin/Hostx64/x64/cl.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files/Microsoft Visual Studio/18/Community/VC/Tools/MSVC/14.50.35717/bin/Hostx64/x64/cl.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (5.0s)
-- Generating done (0.1s)
-- Build files have been written to: C:/Users/dev/CLionProjects/EyYoEtwWhereYouAt/build
Compile
build> cmake --build .
MSBuild version 18.3.0-release-26070-10+3972042b7 for .NET Framework
1>Checking Build System
Building Custom Rule C:/Users/dev/CLionProjects/EyYoEtwWhereYouAt/CMakeLists.txt
Scanning sources for module dependencies...
Logger.cc
App.cc
Ipc.cc
Storage.cc
Process.cc
Thread.cc
AlertContainer.cc
Util.cc
ObserverManager.cc
AlertMemoryObserver.cc
LogDebug.cc
AnalysisEngine.cc
logStdout.cc
config.cc
Compiling...
Thread.cc
App.cc
Storage.cc
Ipc.cc
Process.cc
Logger.cc
Util.cc
LogDebug.cc
AnalysisEngine.cc
AlertContainer.cc
AlertMemoryObserver.cc
ObserverManager.cc
config.cc
logStdout.cc
EyYoEtwWhereYouAt.vcxproj -> C:\Users\dev\CLionProjects\EyYoEtwWhereYouAt\build\Debug\EyYoEtwWhereYouAt.lib
Building Custom Rule C:/Users/dev/CLionProjects/EyYoEtwWhereYouAt/CMakeLists.txt
Scanning sources for module dependencies...
main.cpp
Compiling...
main.cpp
etw_exe.vcxproj -> C:\Users\dev\CLionProjects\EyYoEtwWhereYouAt\build\Debug\etw_exe.exe
Building Custom Rule C:/Users/dev/CLionProjects/EyYoEtwWhereYouAt/CMakeLists.txt
PS C:\Users\dev\CLionProjects\EyYoEtwWhereYouAt\build>
- Install driver with
sc.exe create EtwDriver type= kernel binPath=C:\path\to\driver - Run compiled exe as local administrator.
- Start driver
sc.exe start EtwDriver - Run application with ETW Patching.
Patching NtTraceEvent with x64dbg
Alert from application.
- Driver might crash, it was the first time I wrote a driver.
- Some unused code as I was going to make this a larger project but decided against it.
- May have some FPs, I didnt do too much in the analysis "engine" could be improved.
- I made some refactoring and didn't bother updating the unit tests