[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1963":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":15,"stars30d":16,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":17,"rankGlobal":10,"rankLanguage":10,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},1963,"EtwTiViewer","adanto\u002FEtwTiViewer","adanto","Live ETW-TI event viewer for Windows kernel threat-intelligence telemetry. Research tool for exploring the same signals commercial EDRs rely on. ","",null,"C++",149,26,1,0,7,44.99,"MIT License",false,"main",true,[],"2026-06-11 04:01:00","\u003Cdiv align=\"center\">\n \u003Cimg src=\"icon.svg\" width=\"120\" alt=\"EtwTiViewer icon\"\u002F>\n\u003C\u002Fdiv>\n\n# EtwTiViewer\n\nA research tool for live exploration of the **Microsoft-Windows-Threat-Intelligence** (`ETW-TI`) ETW provider — the same telemetry source commercial EDRs use to detect in-memory attacks and process injection.\n\n> **Research and education only.** Requires kernel debugging, test-signed drivers, and deliberate security-boundary patching. Run exclusively in isolated VMs. Some parts of this project were built with LLM-assisted development and may contain bugs, be carefull using this tool in production environments.\n\n![Interface](screenshots\u002Finterface.png)\n\n---\n\n## What is ETW-TI?\n\n`Microsoft-Windows-Threat-Intelligence` (GUID `{F4E1897C-BB5D-5668-F1D8-040F4D8DD344}`) is a **Secure ETW provider** built into `ntoskrnl.exe` that fires on low-level security-relevant operations:\n\n| Keyword | What it covers |\n|---|---|\n| `ALLOCVM_REMOTE` \u002F `LOCAL` | Cross-process \u002F local virtual memory allocation |\n| `PROTECTVM_REMOTE` \u002F `LOCAL` | Protection changes (`VirtualProtectEx`, RWX marking) |\n| `MAPVIEW_REMOTE` \u002F `LOCAL` | Section mapping into another \u002F same process |\n| `QUEUEUSERAPC_REMOTE` | APC injection into a remote thread |\n| `SETTHREADCONTEXT_REMOTE` | Thread register-state overwrite (shellcode injection) |\n| `READVM_REMOTE` \u002F `WRITEVM_REMOTE` | Cross-process memory read\u002Fwrite |\n| `SUSPEND\u002FRESUME_THREAD` | Thread suspension during injection |\n| `FREEZE\u002FTHAW_PROCESS` | Whole-process freezing |\n| `PROCESS_IMPERSONATION_*` | Token impersonation up \u002F down \u002F revert |\n\n---\n\n## Why access is restricted — and how we bypass it\n\nThe kernel requires the subscribing process to be **`PS_PROTECTED_ANTIMALWARE_LIGHT`** (`EPROCESS->Protection = 0x31`), backed by an ELAM certificate Microsoft only issues to commercial security vendors. Without it, `EnableTraceEx2` returns `ERROR_ACCESS_DENIED`.\n\nThe workaround: patch the one-byte `Protection` field of `EtwTiViewer.exe`'s `EPROCESS` in an active kernel debugger session before starting a capture. The patch is non-persistent — a process restart resets it.\n\n```\nPS_PROTECTED_ANTIMALWARE_LIGHT = 0x31\n ↳ Type = PsProtectedTypeProtectedLight (bits [2:0] = 3)\n ↳ Signer = PsProtectedSignerAntimalware (bits [6:3] = 1)\n```\n\n**WinDbg procedure** (run with `EtwTiViewer.exe` already open):\n\n```\nkd> !process 0 0 EtwTiViewer.exe\n PROCESS ffffe7054f0f8080 ...\n\nkd> dt nt!_EPROCESS ffffe7054f0f8080 Protection\n +0x87a Protection : _PS_PROTECTION\n\nkd> eb ffffe7054f0f8080+0x87a 31\nkd> g\n```\n\n> The `Protection` offset varies between Windows builds — always query it with `dt` rather than hardcoding it.\n\n---\n\n## Architecture\n\n```\n┌──────────────────────────────────────────────────────────────────────┐\n│ Kernel │\n│ │\n│ ntoskrnl.exe — ETW-TI instrumentation │\n│ EtwTiLogAllocateVirtualMemory() ─────────────────────────────► │\n│ EtwTiLogProtectVirtualMemory() ETW real-time session │\n│ EtwTiLogMapViewOfSection() \"EtwTiViewerSession\" │\n│ │\n│ EtwTiDriver.sys (WDM) │\n│ PsSetCreateProcessNotifyRoutineEx ──► PROCESS_CREATE\u002FEXIT │\n│ PsSetLoadImageNotifyRoutine ──► IMAGE_LOAD │\n│ Pipe worker: ZwCreateFile → \\\\.\\pipe\\EtwTiForwarder │\n│ IOCTL_ETWTI_START runs in EtwTiViewer.exe context │\n│ (so the EPROCESS->Protection check hits the patched process) │\n└───────────────────────────┬──────────────────────────────────────────┘\n │ named pipe — binary wire protocol\n ▼\n┌──────────────────────────────────────────────────────────────────────┐\n│ EtwTiViewer.exe (C++17, ImGui + DirectX 11) │\n│ │\n│ PipeClient — ReadFile(pipe) → decode PIPE_EVENT_HEADER │\n│ EtwConsumer — StartTraceW \u002F EnableTraceEx2 \u002F ProcessTrace │\n│ TDH decodes PEVENT_RECORD → TiEvent │\n│ Both sources → EventBuffer (ring, 50 000 events) │\n│ Render thread → ImGui UI, JSONL file logging │\n└──────────────────────────────────────────────────────────────────────┘\n```\n\n**Event sources**\n\n| Source | Events | Requires |\n|---|---|---|\n| `PsSetCreateProcessNotifyRoutineEx` | `PROCESS_CREATE`, `PROCESS_EXIT` | Driver loaded |\n| `PsSetLoadImageNotifyRoutine` | `IMAGE_LOAD` | Driver loaded |\n| ETW-TI consumer (user-mode) | All keyword-gated events | `EPROCESS->Protection = 0x31` |\n\n**Wire format** (`PIPE_EVENT_HEADER`, 18 bytes): `Magic (4)` · `EventId (2)` · `Pid (4)` · `Tid (4)` · `Timestamp\u002FFILETIME (8)` · `NameLen (2)` · `FieldsLen (2)` — followed by a UTF-8 name and `key=value\\0` field pairs. `PIPE_TYPE_MESSAGE` ensures each `ReadFile` returns exactly one event.\n\n**IOCTL interface**\n\n| IOCTL | I\u002FO | Purpose |\n|---|---|---|\n| `IOCTL_ETWTI_START` | In: `ULONGLONG KeywordMask` | Start session; register provider in caller context |\n| `IOCTL_ETWTI_STOP` | — | Stop session; remove PS callbacks |\n| `IOCTL_ETWTI_STATUS` | Out: running \u002F EVT\u002Fs \u002F dropped | Poll driver health |\n| `IOCTL_ETWTI_SET_VERBOSE` | In: `ULONG` | Toggle per-event `DbgPrintEx` |\n\n---\n\n## Repository layout\n\n```\nEtwTiSuite\u002F\n├── EtwTiDriver\u002F\n│ ├── EtwTiDriver.c DriverEntry, IOCTL handler, pipe server, PS callbacks\n│ ├── EtwTiShared.h IOCTL codes + pipe wire types (shared with viewer)\n│ ├── EtwTiDriver.inf Non-PnP driver manifest\n│ └── build.bat MSBuild + self-sign → deploy-ready .sys\n├── EtwTiViewer\u002F\n│ ├── ImGuiApp.h\u002F.cpp UI: keyword panel, toolbar, event table, logging\n│ ├── EtwConsumer.h\u002F.cpp Real-time ETW consumer\n│ ├── PipeClient.h\u002F.cpp Pipe reader → EventBuffer\n│ ├── DriverControl.h\u002F.cpp IOCTL wrappers\n│ └── EventBuffer.h Thread-safe ring buffer (50 000 events)\n├── third_party\u002Fimgui\u002F Clone separately (see Setup)\n└── EtwTiSuite.sln\n```\n\n---\n\n## Prerequisites\n\n| Requirement | Notes |\n|---|---|\n| Windows 10 21H2+ \u002F Windows 11 x64 | Run in a VM |\n| Visual Studio 2022 (v143) | C++17 |\n| WDK 10.0.22621+ | Matched to VS install |\n| Test-signing enabled + Secure Boot off | `bcdedit \u002Fset testsigning on` + reboot |\n| Administrator account | Driver install and viewer launch |\n| WinDbg kernel debug session | Required for the EPROCESS patch |\n\n---\n\n## Setup\n\n```cmd\n# 1. Clone ImGui (docking branch)\nmkdir third_party\ncd third_party\ngit clone --branch docking https:\u002F\u002Fgithub.com\u002Focornut\u002Fimgui.git imgui\n\n# 2. Enable test-signing (VM only) and reboot\nbcdedit \u002Fset testsigning on && shutdown \u002Fr \u002Ft 0\n\n# 3. Build the driver (self-signs the .sys)\ncd EtwTiDriver && build.bat\n\n# 4. Build the viewer — open EtwTiSuite.sln in VS, Release|x64, Ctrl+Shift+B\n# or: msbuild EtwTiSuite.sln \u002Fp:Configuration=Release \u002Fp:Platform=x64 \u002Ft:EtwTiViewer\n\n# 5. Install the driver (elevated prompt)\nsc create EtwTiDriver type= kernel start= demand binPath= \"C:\\...\\EtwTiDriver.sys\"\nsc start EtwTiDriver\n# Expect: STATE: 4 RUNNING\n# Error 577 = test-signing not on or VM not rebooted\n\n# 6. Stop and uninstall (always click Stop in the viewer first)\nsc stop EtwTiDriver && sc delete EtwTiDriver\n```\n\n---\n\n## Usage\n\n**1. Patch EPROCESS->Protection** (see WinDbg procedure above) while `EtwTiViewer.exe` is running.\n\n**2. Launch the viewer** — `EtwTiViewer\\x64\\Release\\EtwTiViewer.exe` (as Administrator). Status bar indicators:\n- **Driver** — green when `\\\\.\\EtwTiDriver` opens\n- **Pipe** — green when the driver connects to the forwarder pipe\n- **ETW-TI** — green when `EnableTraceEx2` succeeds (requires the patch)\n\n**3. Capture:**\n1. Check keywords in the **Keywords** panel (or **Select All**)\n2. Click **Start** — driver IOCTL + ETW consumer session begin simultaneously\n3. Events stream into the **Events** table in real time\n4. Use **Filter** to substring-match on name or any field value\n5. Toggle **Log [ON]** to stream to a JSONL file\n6. Hover any status indicator for a detailed tooltip\n7. Click **Stop** → **Clear** to reset\n\n**Kernel debug output:** `kd> ed nt!Kd_IHVDRIVER_Mask 0xFFFFFFFF` then enable **KD Verbose** in the toolbar.\n\n---\n\n## Resources\n\n- **fluxsec.red** — [ETW-TI: Rust Consumer](https:\u002F\u002Ffluxsec.red\u002Fevent-tracing-for-windows-threat-intelligence-rust-consumer) — detailed walkthrough of the provider, its access model, and consumer implementation\n- **Sanctum** by 0xflux — [github.com\u002F0xflux\u002FSanctum](https:\u002F\u002Fgithub.com\u002F0xflux\u002FSanctum) — proof-of-concept EDR in Rust demonstrating real-world ETW-TI consumption\n\n---\n\n## Disclaimer\n\nProvided for defensive research and education only — to validate detection logic, evaluate ETW-TI telemetry coverage, and document provider behaviour. Using this tool against systems you do not own, or to develop evasion techniques for production environments, is outside the intended use and your sole responsibility.\n","EtwTiViewer 是一个用于实时探索 Windows 内核威胁情报遥测的 ETW 事件查看器,帮助研究人员分析商业 EDR 系统依赖的相同信号。该项目使用 C++ 开发,主要功能包括实时监控 Microsoft-Windows-Threat-Intelligence ETW 提供程序发出的安全相关操作,如跨进程内存分配、保护更改、线程上下文设置等。适用于需要深入了解 Windows 内核安全机制的研究和教育场景,但需注意该工具运行时要求内核调试环境及测试签名驱动,并建议仅在隔离的虚拟机中使用。",2,"2026-06-11 02:47:07","CREATED_QUERY"]