Generic ETW manifest file with a "key: value" format for events.

A proof of concept ETW consumer that captures userland events in real time, displays them, and saves them into an .etl file

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

A demo of the relevant blog post: Introduction to Beacon Object Files

A simple manifest-based ETW wrapper library for Rust in Windows.

Trace ScriptBlock execution for powershell v2

List the ETW provider(s) in the registration table of a process.

Patch AMSI and ETW in remote process via direct syscall

Code snippets to add on top of cobalt strike sleep mask to achieve patchless hook on AMSI and ETW

An all-in-one Cobalt Strike BOF to patch, check and revert AMSI and ETW for x64 process. Both syscalls and dynamic resolve versions are available.

Document ETW providers