Pentesting Tools

Full Spectrum Event Tracing For Windows Detection In The kernel Against Rootkits

Sanctum EDR demonstrates a multi-layered approach to detecting and preventing Event Tracing for Windows (ETW) tampering by rootkits, combining kernel-mode monitoring with user-space protections.

This toolkit focuses on neutralizing advanced techniques used by malware like Remcos RAT and Lazarus Group’s FudModule rootkit to blind security solutions.

Key Functions

  1. Kernel Dispatch Table Monitoring
    Sanctum’s driver periodically validates the integrity of the ETW Kernel Dispatch Table – a critical structure holding pointers to ETW provider GUIDs.
    • By comparing runtime addresses against a baseline snapshot, it detects rootkits attempting to nullify entries (e.g., EtwThreatIntProvRegHandle).
      • Tampering triggers an immediate bug check (BSOD) via KeBugCheckEx to prevent exploitation1.
  2. _ETW_SILODRIVERSTATE Protection
    The tool monitors the EtwpActiveSystemLoggers bitmask and GUID enable flags within this kernel structure.
    • Lazarus-style attacks that clear these flags to disable ETW providers are detected through cyclic redundancy checks. For critical providers like ETW Threat Intelligence, zero-value masks prompt system halts1.
  3. Registry Guardrails
    A kernel filter driver using CmRegisterCallbackEx blocks modifications to ETW-related registry keys (e.g., HKLM\...\Autologger\EventLog-Application). This prevents persistent disablement of ETW logging through registry tampering1.
  4. User-Space NTDLL Guard
    A companion process hashes NTDLL’s .text segment every 50ms to detect memory patching attempts. When Remcos RAT tried patching EtwEventWrite, Sanctum suspended all process threads and terminated execution via hooked NtProtectVirtualMemory1.

Testing against real-world threats revealed:

  • Complete blockage of Remcos’ user-space ETW bypass via memory protection hooks
  • Successful identification of FudModule rootkit’s GUID entry manipulation through kernel structure monitoring
  • Prevention of registry-based persistence mechanisms with 100% block rate in controlled tests

The system employs defense-in-depth by combining:

  • Kernel Patch Guard-style periodic checks
  • Real-time syscall hooking
  • Registry write filtering
  • Memory integrity validation

This layered approach raises the bar for adversaries, requiring simultaneous bypass of multiple detection vectors while maintaining operational stealth – a significant challenge given Sanctum’s 50ms check intervals and hardware-isolated components1.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

4 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

6 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

8 hours ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

8 hours ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

8 hours ago

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

1 day ago