C/C++ Performance Profiler

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Hades HIDS/HIPS for Windows

The world's most powerful System Activity Monitor Engine · 一款功能强大的终端行为采集防御开发套件 ~ 旨在帮助EDR、零信任、数据安全、审计管控等终端安全软件可以快速实现产品功能， 而不用关心底层驱动的开发、维护和兼容性问题，让其可以专注于业务开发

让Etwhook再次伟大! Make InfinityHook Great Again!

Simple project that demonstrates how an ETW consumer can be created just by using NTDLL

Sampling profiler for native applications on Windows, based on ETW

This script is used to bypass DLL Hooking using a fresh mapped copy of ntdll file, patch the ETW and trigger a shellcode with process hollowing

A simple example application to collect DNS queries logs using etw-api

Leaking kernel addresses from ETW consumers. Requires Administrator privileges.

The internal Windows structures hack to create the in-process private ETW session

Open Power Performance Analysis Tool

Mentally ill EtwTi parser

flatkrabsetw is a flat-C wrapper around the krabsetw C++ library. It's primarily meant for FFI usage in other languages.

System Activity Monitor (SAM) is a research tool that enables detailed recording of system and application behavior and resource usage.

Bypassing Event Tracing for Windows (ETW) with CSharp

Windows process monitoring tool using ETW and Frida. Detects suspicious activity (e.g., PPID spoofing), injects into target processes, and logs WinAPI calls. Designed for real-time detection and background execution as a service.

Shitty C++20 single-header ETW util for real-time event consumption and member parsing

Greathelm is a modular Windows security service focused on process inspection, PowerShell telemetry, and automated response enforcement. It’s built entirely in C++ and designed for minimal dependencies, direct API usage.

Remove ETW providers from session &ETW session hijack