Skip to content

Instantly share code, notes, and snippets.

@bats3c

bats3c/restore_callback.c

Created September 4, 2020 15:32
Show Gist options
  • Save bats3c/a6df08e9d657210bbadd0438089d338c to your computer and use it in GitHub Desktop.
Save bats3c/a6df08e9d657210bbadd0438089d338c to your computer and use it in GitHub Desktop.
Download ZIP
Restore the callback so we can report an event, then rehook it
Raw
restore_callback.c
typedef VOID(WINAPI * EtwEventCallback_) (EVENT_RECORD *EventRecord);
VOID DoOriginalEtwCallback( EVENT_RECORD *EventRecord )
{
DWORD dwOldProtect;
VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), PAGE_EXECUTE_READWRITE, &dwOldProtect);
memcpy(lpCallbackOffset, OriginalBytes, sizeof(OriginalBytes));
VirtualProtect(lpCallbackOffset, sizeof(OriginalBytes), dwOldProtect, &dwOldProtect);
EtwEventCallback_ EtwEventCallback = (EtwEventCallback_)lpCallbackOffset;
EtwEventCallback(EventRecord);
HookEtwCallback();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment