Full Spectrum Event Tracing For Windows Detection In The kernel Against Rootkits

Sanctum EDR demonstrates a multi-layered approach to detecting and preventing Event Tracing for Windows (ETW) tampering by rootkits, combining kernel-mode monitoring with user-space protections.

This toolkit focuses on neutralizing advanced techniques used by malware like Remcos RAT and Lazarus Group’s FudModule rootkit to blind security solutions.

Key Functions

1. Kernel Dispatch Table Monitoring
   Sanctum’s driver periodically validates the integrity of the ETW Kernel Dispatch Table – a critical structure holding pointers to ETW provider GUIDs.
   • By comparing runtime addresses against a baseline snapshot, it detects rootkits attempting to nullify entries (e.g., EtwThreatIntProvRegHandle).
     • Tampering triggers an immediate bug check (BSOD) via KeBugCheckEx to prevent exploitation1.
2. _ETW_SILODRIVERSTATE Protection
   The tool monitors the EtwpActiveSystemLoggers bitmask and GUID enable flags within this kernel structure.
   • Lazarus-style attacks that clear these flags to disable ETW providers are detected through cyclic redundancy checks. For critical providers like ETW Threat Intelligence, zero-value masks prompt system halts1.
3. Registry Guardrails
   A kernel filter driver using CmRegisterCallbackEx blocks modifications to ETW-related registry keys (e.g., HKLM\...\Autologger\EventLog-Application). This prevents persistent disablement of ETW logging through registry tampering1.
4. User-Space NTDLL Guard
   A companion process hashes NTDLL’s .text segment every 50ms to detect memory patching attempts. When Remcos RAT tried patching EtwEventWrite, Sanctum suspended all process threads and terminated execution via hooked NtProtectVirtualMemory1.

Testing against real-world threats revealed:

• Complete blockage of Remcos’ user-space ETW bypass via memory protection hooks
• Successful identification of FudModule rootkit’s GUID entry manipulation through kernel structure monitoring
• Prevention of registry-based persistence mechanisms with 100% block rate in controlled tests

The system employs defense-in-depth by combining:

• Kernel Patch Guard-style periodic checks
• Real-time syscall hooking
• Registry write filtering
• Memory integrity validation

This layered approach raises the bar for adversaries, requiring simultaneous bypass of multiple detection vectors while maintaining operational stealth – a significant challenge given Sanctum’s 50ms check intervals and hardware-isolated components1.