Challenge 28: Hardware Breakpoint ETW Hook

Hard ETW Bypass

Objective

Use hardware breakpoints (debug registers) and a Vectored Exception Handler to intercept EtwEventWrite calls without modifying any code bytes — completely evading Rule 8’s memory integrity check.

Background

Hardware breakpoints use the CPU’s debug registers (DR0-DR3) to trigger exceptions when specific addresses are executed. Combined with a Vectored Exception Handler (VEH), you can intercept function calls without writing to code memory.

This technique is used in advanced EDR bypass tools for “patchless” hooking:

  1. Set DR0 to point to EtwEventWrite
  2. Register a VEH that catches EXCEPTION_SINGLE_STEP
  3. When the breakpoint fires, modify the return value and skip the function
  4. No code bytes are modified — memory integrity checks pass

This is essentially the same principle behind ETW-TI’s NtContinue monitoring — the kernel watches for debug register manipulation via NtSetContextThread.

The Weakness

Rule 8’s integrity check:

Rules

  1. The EDR agent must be running with ETW enabled
  2. Hook EtwEventWrite using only hardware breakpoints + VEH
  3. No code bytes at EtwEventWrite may be modified
  4. Rule 8 must not detect the hook
  5. ETW events must be silently dropped

Hints

Hint 1 Use GetThreadContext and SetThreadContext to read/write debug registers. Set DR0 to the address of EtwEventWrite and enable the local breakpoint in DR7.
Hint 2 Register a Vectored Exception Handler with AddVectoredExceptionHandler. In the handler, check for EXCEPTION_SINGLE_STEP and verify the exception address matches EtwEventWrite.
Hint 3 In the VEH handler, set RIP to the return address (read from [RSP]), set RAX to 0 (STATUS_SUCCESS), adjust RSP += 8, and return EXCEPTION_CONTINUE_EXECUTION. The function is "called" but never actually runs.

Further Reading