Rust-for-Malware-Development

ETW Evasion

Welcome to the Etw directory of Rust-for-Malware-Development. Event Tracing for Windows (ETW) is one of the loudest telemetry sources an EDR can listen to. These PoCs gag or redirect ETW so an implant can run without showing up in those event streams.

Sections & Links

• ETWMuffle: Silences user-mode ETW providers by patching EtwEventWrite / NtTraceEvent in-process. Once patched, calls that would normally publish events to the kernel simply return without doing anything.

How to Use

git clone https://github.com/Whitecat18/Rust-for-Malware-Development.git
cd Rust-for-Malware-Development/Etw

The sub-folder is a Cargo project. Build with cargo build --release.

This site is open source. Improve this page.