We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)
- EtwThreatIntProvRegHandle - called from KeInsertQueueApc and IopfCompleteRequest
- EtwTiLogSetContextThread - called from PspWow64SetContextThread & PspSetContextThreadInternal
- EtwTiLogAllocExecVm - called from MiAllocateVirtualMemory
- EtwTiLogProtectExecVm - called from NtProtectVirtualMemory
- EtwTiLogReadWriteVm - called from MiReadWriteVirtualMemory
- EtwTiLogDeviceObjectLoadUnload - called from IoDeleteDevice & IoCreateDevice
- EtwTiLogDriverObjectLoad - called from IopLoadDriver & IoCreateDriver
- EtwTiLogMapExecView - called from NtMapViewOfSection & MiMapViewOfSectionExCommon
- EtwTiLogSuspendResumeProcess - called from PsThawProcess, PsFreezeProcess, PsResumeProcess & PsSuspendProcess
- EtwTiLogSuspendResumeThread - called from PsSuspendThread & PsResumeThread
- EtwpTimLogMitigationForProcess - called from MiAllowImageMap
- EtwTimLogProhibitDynamicCode - called from MiArbitraryCodeBlocked
- EtwTimLogProhibitWin32kSystemCalls - called from PsConvertToGuiThread
- EtwTimLogProhibitNonMicrosoftBinaries - called from MiValidateSectionSigningPolicy
- EtwTimLogProhibitChildProcessCreation - called from SeSubProcessToken
- EtwTimLogProhibitLowILImageMap - called from MiAllowImageMap
Комментариев нет:
Отправить комментарий