salu90
commented
4 years ago Thanks for the suggestion @rasta-mouse! I've added a line of code to restore the original memory permissions like in your AMSI patch.
Closed salu90 closed 4 years ago
salu90
commented
4 years ago Thanks for the suggestion @rasta-mouse! I've added a line of code to restore the original memory permissions like in your AMSI patch.
Adds:
ETWclass in theSharpSploit.EvasionnamespacePatchEtwfunctionDisable ETW by patching the
EtwEventWritefunction inntdll.dll.Code has been kindly stolen and adapted from Adam Chester (https://blog.xpnsec.com/hiding-your-dotnet-etw/) and Mythic (https://github.com/its-a-feature/Mythic).
Tested on Windows 10 1909 and .NET Framework 4.8