Windows process monitoring tool using ETW and Frida. Detects suspicious activity (e.g., PPID spoofing), injects into target processes, and logs WinAPI calls. Designed for real-time detection and background execution as a service.

Shitty C++20 single-header ETW util for real-time event consumption and member parsing

System Activity Monitor (SAM) is a research tool that enables detailed recording of system and application behavior and resource usage.

Greathelm is a modular Windows security service focused on process inspection, PowerShell telemetry, and automated response enforcement. It’s built entirely in C++ and designed for minimal dependencies, direct API usage.

Remove ETW providers from session &ETW session hijack

Bypassing Event Tracing for Windows (ETW) with CSharp

flatkrabsetw is a flat-C wrapper around the krabsetw C++ library. It's primarily meant for FFI usage in other languages.

The internal Windows structures hack to create the in-process private ETW session

A simple example application to collect DNS queries logs using etw-api

Open Power Performance Analysis Tool

Leaking kernel addresses from ETW consumers. Requires Administrator privileges.

Mentally ill EtwTi parser

This script is used to bypass DLL Hooking using a fresh mapped copy of ntdll file, patch the ETW and trigger a shellcode with process hollowing

Sampling profiler for native applications on Windows, based on ETW

让Etwhook再次伟大! Make InfinityHook Great Again!

Simple project that demonstrates how an ETW consumer can be created just by using NTDLL

Hades HIDS/HIPS for Windows

The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能， 而不用关心底层驱动的开发、维护和兼容性问题，让其可以专注于业务开发

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

C/C++ Performance Profiler