Sanctum EDR demonstrates a multi-layered approach to detecting and preventing Event Tracing for Windows (ETW) tampering by rootkits, combining kernel-mode monitoring with user-space protections.
This toolkit focuses on neutralizing advanced techniques used by malware like Remcos RAT and Lazarus Group’s FudModule rootkit to blind security solutions.
Key Functions
- Kernel Dispatch Table Monitoring
Sanctum’s driver periodically validates the integrity of the ETW Kernel Dispatch Table – a critical structure holding pointers to ETW provider GUIDs.- By comparing runtime addresses against a baseline snapshot, it detects rootkits attempting to nullify entries (e.g., EtwThreatIntProvRegHandle).
- Tampering triggers an immediate bug check (BSOD) via
KeBugCheckExto prevent exploitation1.
- Tampering triggers an immediate bug check (BSOD) via
- By comparing runtime addresses against a baseline snapshot, it detects rootkits attempting to nullify entries (e.g., EtwThreatIntProvRegHandle).
- _ETW_SILODRIVERSTATE Protection
The tool monitors theEtwpActiveSystemLoggersbitmask and GUID enable flags within this kernel structure.- Lazarus-style attacks that clear these flags to disable ETW providers are detected through cyclic redundancy checks. For critical providers like ETW Threat Intelligence, zero-value masks prompt system halts1.
- Registry Guardrails
A kernel filter driver usingCmRegisterCallbackExblocks modifications to ETW-related registry keys (e.g.,HKLM\...\Autologger\EventLog-Application). This prevents persistent disablement of ETW logging through registry tampering1. - User-Space NTDLL Guard
A companion process hashes NTDLL’s .text segment every 50ms to detect memory patching attempts. When Remcos RAT tried patchingEtwEventWrite, Sanctum suspended all process threads and terminated execution via hookedNtProtectVirtualMemory1.
Testing against real-world threats revealed:
- Complete blockage of Remcos’ user-space ETW bypass via memory protection hooks
- Successful identification of FudModule rootkit’s GUID entry manipulation through kernel structure monitoring
- Prevention of registry-based persistence mechanisms with 100% block rate in controlled tests
The system employs defense-in-depth by combining:
- Kernel Patch Guard-style periodic checks
- Real-time syscall hooking
- Registry write filtering
- Memory integrity validation
This layered approach raises the bar for adversaries, requiring simultaneous bypass of multiple detection vectors while maintaining operational stealth – a significant challenge given Sanctum’s 50ms check intervals and hardware-isolated components1.
 tampering by rootkits,){kind=link}