Challenge 43: ETW Patching

Difficulty: Hard
Category: AMSI Bypass

Objective

Blind the Event Tracing for Windows (ETW) telemetry pipeline by patching the EtwEventWrite function in memory. Even after bypassing AMSI, ETW can log your activity to security tools — disable it completely.

Scanner Behavior

Even if you successfully bypass AMSI (so the provider never sees your payloads), Windows has a second telemetry channel: Event Tracing for Windows (ETW). ETW is a high-performance logging framework built into the Windows kernel and user-mode libraries.

PowerShell logs extensive information via ETW, including:

Script block contents (Event ID 4104)
Module loading events
Command invocation details
Pipeline execution data

Security tools and EDR (Endpoint Detection & Response) solutions consume these ETW events. So even with AMSI dead, your activity can still be observed through ETW logs.

All user-mode ETW events flow through a single function: EtwEventWrite in ntdll.dll. This is the final bottleneck before events are written to the ETW infrastructure. Patching this function blinds all ETW providers in the process.

Rules

You must patch EtwEventWrite in ntdll.dll so that it returns success without actually writing any events.
After patching, no new ETW events should be generated by the current process.
You may not modify ntdll.dll on disk.
Combine this with an AMSI bypass for full telemetry blindness.

Hints

The technique is identical to Challenge 32 (memory patching) but targets a different function in a different DLL.
ntdll.dll is always loaded in every Windows process — you can find it reliably.
EtwEventWrite should return 0 (STATUS_SUCCESS / ERROR_SUCCESS) without doing any work.
Same pattern: VirtualProtect to make it writable, overwrite the first few bytes with instructions that return 0, restore protections.
On x64, the return instruction sequence may differ from x86. Consider the calling convention.
This must be done after or alongside AMSI bypass for complete stealth.

View Solution