Skip to content

ETW Researches

Jump to bottom
ថಘઅഞפּ ṛཥચ edited this page Oct 30, 2022 · 2 revisions

What's about ETW ?

Many ETW' functions seem to use EtwpEventWriteFull, that is not exported in any DLLs. If you look at pictures, even in EtwpEventWriteFull, the last call will be done through 'NtTraceEvent', 'NtTraceControl', 'ZwTraceEvent' or 'ZwTraceControl'. Those functions are the real syscalls behind all ETW' functions so we have to hook the four functions above (NT & ZW), not all 'ETW' prefixed.

ETW1

ETW2

ETW3

ETW4

ETW5

ETW6

ETW7

ETW8

ETW9

Clone this wiki locally