Let's assume that we have some application that wants to hide its activity from trace logs - not necessary evil or malicious, for example just to hide used algos or bit paranoid like crypto-wallet. Lets see how can it achieve this (I have no desire to consider trivial cases like removing records from eventlog)
Semiofficial ways
- Sure all you readed about COMPlus_ETWEnabled but there is also promising COMPlus_ETWFlags
- You can switch off etw tracing for services.exe with registry key TracingDisabled in Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular
- And the same for rpcrt4.dll with registry key ExtErrorInformation in HKLM\Software\Policies\Microsoft\Windows NT\Rpc
Patching
- Yes, good old IAT hijacking for functions like EtwEventWrite works fine even though they can be easily detected
- Splicing of Etw functions. Almost same as above
- Some more sophisticated patching of internal wpp structures. For example you can find Etw handles and zero them. Or zero trace level. Or EventsEnableBits. PoC to find etw handles in rpcrt4.dll
Kernel mode
Who immediately remembered InfinityHook? Btw Ms removed pfn GetCpuClock from WMI_LOGGER_CONTEXT since est. build 18963There are much more kernel sensors. PoC to find CmpTraceRoutine - and suddenly etw events from registry stop generating. Sure it`s not big problem if your product has some code registered with CmRegisterCallback
Conclusion
Etw is unreasonably complex and fragile technology and can easily be broken in too many places
Комментариев нет:
Отправить комментарий