Challenge 26: Patch EtwEventWrite

Medium ETW Bypass

Objective

Patch ntdll!EtwEventWrite in memory to silently disable all user-mode ETW telemetry without triggering Rule 8’s integrity check.

Background

Every user-mode ETW provider ultimately calls ntdll!EtwEventWrite to emit events. By patching this function in memory, you can blind all user-mode ETW providers in the process — including the EDR’s telemetry.

This is one of the most common EDR bypass techniques. Tools like TamperETW use this approach to silently disable .NET ETW logging in Assembly.Load cradles.

The Weakness

Rule 8 checks the first byte of EtwEventWrite for 0xC3 (the ret instruction). But it doesn’t check for other patching patterns:

Rules

  1. The EDR agent must be running (ETW enabled)
  2. Patch EtwEventWrite so it returns immediately without emitting events
  3. Rule 8 must NOT detect your patch
  4. Verify that ETW events are no longer being written

Hints

Hint 1 You need to change the memory protection of the ntdll page before writing to it. What API changes page protections?
Hint 2 Use VirtualProtect to make the page PAGE_EXECUTE_READWRITE, write the patch bytes, then restore PAGE_EXECUTE_READ.
Hint 3 The patch xor eax, eax; ret is three bytes: \x33\xC0\xC3. It sets EAX to 0 (STATUS_SUCCESS) and returns — the caller thinks the write succeeded.

Further Reading