Initial commit for public version

Co-authored-by: Thomas Diot <thomas.diot@wavestone.com>
2026-06-11 01:41:20 +00:00 · 2021-11-08 09:54:05 +01:00
commit 4bff81986b
42 changed files with 8490 additions and 0 deletions
@@ -0,0 +1,29 @@
+/*
+
+--- ETW Threat Intelligence operations.
+--- Inspiration and credit: https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider
+
+*/
+
+#pragma once
+
+#include <Windows.h>
+#include <Tchar.h>
+#include <stdio.h>
+
+#include "Globals.h"
+#include "KernelMemoryPrimitives.h"
+#include "NtoskrnlOffsets.h"
+
+#define DISABLE_PROVIDER 0x0
+#define ENABLE_PROVIDER 0x1
+
+DWORD64 GetEtwThreatIntProvRegHandleAddress();
+
+DWORD64 GetEtwThreatInt_ProviderEnableInfoAddress(BOOL verbose);
+
+void DisableETWThreatIntelProvider(BOOL verbose);
+
+void EnableETWThreatIntelProvider(BOOL verbose);
+
+BOOL isETWThreatIntelProviderEnabled(BOOL verbose);