Possible ways to protect ETW trace sessions from getting stopped?

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Other

581 stars 149 forks source link

Possible ways to protect ETW trace sessions from getting stopped? #224

Closed subvert0r closed 6 months ago

subvert0r commented 7 months ago

There are many tools that can be used to stop a ETW trace session.

My question is, assuming that we already have a kernel mode driver, what are the possible ways for us to protect our ETW session from getting stopped?

swannman commented 7 months ago

Hi @subvert0r, this a good area to focus on, but it's outside of what the krabsetw project can assist with.