Skip to content
/ BlockEtw Public

.Net Assembly to block ETW telemetry in current process

75 stars 19 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Soledge/BlockEtw

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
blocketw
blocketw
 
 
README.md
README.md
 
 
blocketw.bin
blocketw.bin
 
 
blocketw.sln
blocketw.sln
 
 

Repository files navigation

BlockETW

.Net 3.5 / 4.5 Assembly to block ETW telemetry in a process

You must "Self-Inject" the blocketw.bin to the session that your beacon lives in

For injecting into a process:

shinject /opt/shellcode/blocketw.bin

There is no output currently for the command. It WILL NOT WORK if your using spawnto

Credits go to RastaMouse and XPN for creating SharpC2 from which this tool is based and thier research on ETW bypassing.

Release Build is built with .net 4.5 (but can be built for 3.5)

https://rastamouse.me/2020/05/sharpc2/

https://blog.xpnsec.com/hiding-your-dotnet-etw/

About

.Net Assembly to block ETW telemetry in current process

Resources

Readme
Activity

Stars

75 stars

Watchers

2 watching

Forks

19 forks
Report repository

Releases 1

BlockETW Version 1 Latest
May 14, 2020

Packages

No packages published

Languages