Hiding your .NET - ETW - XPN InfoSec Blog
In this post we will focus on Event Threading for Windows (ETW), how it is used to surface events on .NET assemblies, and how we can evade this kind of detection.| XPN InfoSec Blog
---| XPN InfoSec Blog
In this post we will focus on Event Threading for Windows (ETW), how it is used to surface events on .NET assemblies, and how we can evade this kind of detection.| XPN InfoSec Blog
It turns out that there is a method of disabling ETW in .NET, strangely exposed by setting an environment variable of COMPlus_ETWEnabled=0. This post explores how this works.| XPN InfoSec Blog
TLDR: Version v1.0 “Cruller” of Donut has been released, including Module Overloading for native PEs, ETW bypasses, a Dockerfile, support for binaries without relocation information, and many other minor improvements and bugfixes.| thewover.github.io
TLDR: Presenting DInvoke, a new API in SharpSploit that acts as a dynamic replacement for PInvoke. Using it, we show how to dynamically invoke unmanaged code from memory or disk while avoiding API Hooking and suspicious imports.| thewover.github.io
