Challenge 26: Patch EtwEventWrite
Medium ETW Bypass
Objective
Patch ntdll!EtwEventWrite in memory to silently disable all user-mode ETW telemetry without triggering Rule 8’s integrity check.
Background
Every user-mode ETW provider ultimately calls ntdll!EtwEventWrite to emit events. By patching this function in memory, you can blind all user-mode ETW providers in the process — including the EDR’s telemetry.
This is one of the most common EDR bypass techniques. Tools like TamperETW use this approach to silently disable .NET ETW logging in Assembly.Load cradles.
The Weakness
Rule 8 checks the first byte of EtwEventWrite for 0xC3 (the ret instruction). But it doesn’t check for other patching patterns:
xor eax, eax; ret→ bytes0x33, 0xC0, 0xC3— returnsSTATUS_SUCCESSwithout logging- The first byte is
0x33, not0xC3, so Rule 8 misses it entirely
Rules
- The EDR agent must be running (ETW enabled)
- Patch
EtwEventWriteso it returns immediately without emitting events - Rule 8 must NOT detect your patch
- Verify that ETW events are no longer being written
Hints
Hint 1
You need to change the memory protection of the ntdll page before writing to it. What API changes page protections?Hint 2
UseVirtualProtect to make the page PAGE_EXECUTE_READWRITE, write the patch bytes, then restore PAGE_EXECUTE_READ.
Hint 3
The patchxor eax, eax; ret is three bytes: \x33\xC0\xC3. It sets EAX to 0 (STATUS_SUCCESS) and returns — the caller thinks the write succeeded.
Further Reading
- Breaking ETW and EDR — Offensive ETW techniques
- ETW-TI Deep Dive — Why this doesn’t work against kernel ETW
MostShittyEDR