Merge pull request #1800 from SolitudePy/develop

ikelos · web-flow · commit 686057d8060d · 2025-05-07T22:03:37.000+01:00
add functions to etwpatch
diff --git a/volatility3/framework/plugins/windows/etwpatch.py b/volatility3/framework/plugins/windows/etwpatch.py
@@ -12,6 +12,8 @@
 vollog = logging.getLogger(__name__)
 
 
+# EtwpEventWriteFull -> https://github.com/SolitudePy/Stealthy-ETW-Patch
+# CAPA rule -> https://github.com/mandiant/capa-rules/blob/master/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
 class EtwPatch(interfaces.plugins.PluginInterface):
     """Identifies ETW (Event Tracing for Windows) patching techniques used by malware to evade detection.
 
@@ -30,10 +32,14 @@ class EtwPatch(interfaces.plugins.PluginInterface):
                 "EtwEventWrite",
                 "EtwEventWriteFull",
                 "NtTraceEvent",
+                "ZwTraceEvent",
+                "NtTraceControl",
+                "ZwTraceControl",
+                "EtwpEventWriteFull",
             ],
         },
         "advapi32.dll": {
-            pe_symbols.wanted_names_identifier: ["EventWrite"],
+            pe_symbols.wanted_names_identifier: ["EventWrite", "TraceEvent"],
         },
     }
 
@@ -75,7 +81,6 @@ def _generator(self):
             kernel_module_name=self.config["kernel"],
             filter_func=filter_func,
         ):
-
             try:
                 proc_id = proc.UniqueProcessId
                 proc_name = utility.array_to_string(proc.ImageFileName)
