3gstudent
commented
5 years ago It is just a POC and it is very easy to do the rest of the work. A version of PowerShell will integrate these functions.
Closed koushui closed 4 years ago
3gstudent
commented
5 years ago It is just a POC and it is very easy to do the rest of the work. A version of PowerShell will integrate these functions.
koushui
commented
5 years ago Powershell ?very cool~~!Where is it
Why not do a can solve closed and restart Eventlog service generate EventID for 7034 and 7036, and solve the problem of missing EventRecordID version?Modify DeleteRecordbyTerminateProcess. CPP operation process is as follows should be ok:
1.Try to EnableDebugPrivilege... Done 2.Try to OpenProcess... Done (add ) Try to suspend eventlog Thead
3.Try to TerminateProcess... Done 4.Try to CloseFileHandle... Done 5.Try to Copy evtx file to current path... Done 6.Try to Delete the eventlog... Done 7.Try to replace evtx file... Done 8.Try to delete temp.evtx... Done (add ) Try to eventlog process and suspend Thead 9.Try to Restart eventlog service... (add ) Try to suspend eventlog Thead