mirror of
https://github.com/wavestone-cdt/EDRSandblast.git
synced 2026-06-10 17:31:23 +00:00
Maxime Meignan
29 lines
694 B
C
29 lines
694 B
C
/*
|
|
|
|
--- ETW Threat Intelligence operations.
|
|
--- Inspiration and credit: https://public.cnotools.studio/bring-your-own-vulnerable-kernel-driver-byovkd/exploits/data-only-attack-neutralizing-etwti-provider
|
|
|
|
*/
|
|
|
|
#pragma once
|
|
|
|
#include <Windows.h>
|
|
#include <Tchar.h>
|
|
#include <stdio.h>
|
|
|
|
#include "Globals.h"
|
|
#include "KernelMemoryPrimitives.h"
|
|
#include "NtoskrnlOffsets.h"
|
|
|
|
#define DISABLE_PROVIDER 0x0
|
|
#define ENABLE_PROVIDER 0x1
|
|
|
|
DWORD64 GetEtwThreatIntProvRegHandleAddress();
|
|
|
|
DWORD64 GetEtwThreatInt_ProviderEnableInfoAddress(BOOL verbose);
|
|
|
|
void DisableETWThreatIntelProvider(BOOL verbose);
|
|
|
|
void EnableETWThreatIntelProvider(BOOL verbose);
|
|
|
|
BOOL isETWThreatIntelProviderEnabled(BOOL verbose); |