SkillAgentSearch skills...

ETWProcessMon2

ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.

GenerateConvertImprove

Install / Use

/learn @DamonMohammadbagher/ETWProcessMon2
About this skill

Quality Score

0/100

Category

Operations

Supported Platforms

Universal

README

ETWProcessMon2 (v2.1)

ETWProcessMon2 (ver2) is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.

Note: ETWProcessMon2.1 (v2.1) is new version of code, in this new version VirtualMemAlloc Events removed from source code & now Code Performance is very fast/good (this version ETWProcessMon2.1 will work with ETWPM2Monitor2 v2.1 very good for Technique/Payload Detection via ETW Events)

Note: if your "Windows Defender Anti-virus" have/had problem with ETWPM2Monitor2.exe you should Disable AV to use this Tool (Real-time should be off also Tamper Protection should be off, ...), Sometimes ETWPM2Monitor2.exe crashed by AVs so you should test these tools (ETWPM2Monitor2.1 , SysPM2Monitor2.7) in windows without Antivirus (Disabled AV)

ETWProcessMon2.exe

"ETWProcessMon" is simple tool for Monitor Processes/Threads/Memory/Imageloads/TCPIP Events via ETW, with this code you can Monitor New Processes also you can See New Threads (Thread Started event) + Technique Detection for Remote-Thread-Injection (Which Means Your New Thread Created into Target Process by Another Process), also with this code you can Monitor VirtualMemAllocation Events in Memory for All Processes (which sometimes is very useful for Payload Detection in-memory) also you can see ImageLoads for each Process & you can see TCPIP Send Events for each Process too.

simple examples for using [output.txt information] which made by ETWProcessMon2.1 to detect Dll loads after RemoteThreadInjection Attack into Mspaint Process via Sliver-C2 Http/s Beacons

ETWProcessMon2.exe v2.1 for Dll Loads Detection via DLL Loads ETW Events....

ETWProcessMon2.exe v2.1 for Dll Loads Detection via DLL Loads ETW Events....

in these second examples you can see how we can use ETWProcessMon/2 v1/v1.1 or v2.1 for Payload Detection or Beacon Detection via Abnormal ETW VirtualMemAlloc Events & Thread Start Events .

ETWProcessMon.exe v1.0/v1.1/v2.0 vs ETWProcessMon2.exe v2.1 for Beacon Detection via VirtualMemAlloc ETW Events....

ETWProcessMon.exe v1.0/v1.1/v2.0 vs ETWProcessMon2.exe v2.1 for Beacon Detection via VirtualMemAlloc ETW Events....

also in the next picture you can see what we can find in "ETWProcessMonlog.txt" file which made by ETWProcessMon v1.0 , v1.1 and v2.0 , but in ETWProcessMon2.exe v2.1 we don't have this text log file, for example you can see in Cobaltstrike v4.4 with Sleep Command (which will Encrypt/Decrypt MZ Header in-memory) you will have Abnormal ETW VirtualMemAlloc Events for Target Process in this case "Notepad", as you can see when Sleep set to 2 then we have every 2 sec ETW VirtualMemAlloc Events for same StartAddress (in-memory) for Process Notepad. (Delta time for Each ETW event is 2 sec because Sleep Set to 2 secs)

format in ETWProcessMonlog.txt log file for version (1.0 , 1.1 and 2.0):

ETWProcessMonlog.txt and example of ETW VirtualMemAlloc event records:

 "[3/23/2022 5:07:51 PM] PID:(5140) TID(6628) :1661968515072:65536:MEM_COMMIT, MEM_RESERVE:0x10000:0x182f50c0000 [VirtualMemAlloc]"

in this VirtualMemAlloc Record in ETWProcessMonlog.txt you have these informations:

  [Date Time] PID:(????) TID(????) :Win32StartAddress:Size_of_Allocation:Mem_Commit, Mem_Reserve:Length:StartAddress]

so your ETW VirtualMemAlloc Event informations are :

  Date time => [3/23/2022 5:07:51 PM]
  PID => 5140
  TID => 6628
  Win32StartAddress => 1661968515072
  Size_of_Allocation => 65536
  Memory info => MEM_COMMIT, MEM_RESERVE
  Length:StartAddress => 0x10000:0x182f50c0000

ETWProcessMon.exe v1.0/v1.1 for Beacon Detection via VirtualMemAlloc ETW Events....

when you change Delay execution (DelayExecution,SleepEx APIs) from 2 to 4 then in-memory you will have ETW VirtualMemAlloc Events every 4 Sec (Delta-time) for Notepad Process (Real-time)

ETWProcessMon.exe v1.0/v1.1 for Beacon Detection via VirtualMemAlloc ETW Events....

in this simple example you can see how we can use ETWProcessMon2.exe v2.1 + ETWPM2Monitor2.exe v2.1 for Technique Detection & Payload Detection via ETW Events, in this case syscall technique Detected by ETW Events & ETWPM2Monitor2 v2.1

ETWProcessMon2.exe v2.1 + ETWPM2Monitor2 v2.1 for Technique Detection via ETW Events....

Note: VirtualMemAlloc for (Payload-Detection) + ImageLoad & Remote-Thread-Injection Detection for (Technique-Detection) are useful for Blue Teams/Defenders, New Code "VirtualMemAllocMon.exe" created & in this code you can monitor all VirtualMemAlloc Events for ALL Process without using "ETWProcessMon2.exe" for more information => (https://github.com/DamonMohammadbagher/ETWProcessMon2/tree/main/VirtualMemAllocMon)

Note: in ETWProcessMon2 (v2.0) NewProcess events + Remote-Thread-Injection Detecetion events + TCPIP send events all will save in Windows Event Log which with EventViewer you can watch them also VirtualMemAlloc events + Remote-thread-injection Detection Events will save in text "ETWProcessMonlog.txt" log file too (at the same time). so in this version2 we have two type of Events log files => 1."windows event logs [ETWPM2]" , 2."ETWProcessMonlog.txt".

Note: ETWProcessMon2.1 (v2.1) is new version of code, in this new version VirtualMemAlloc Events removed from source code that means now we don't have Text log file for VirtualMemAlloc Events & now Code Performance is very fast/good (this version ETWProcessMon2.1 will work with ETWPM2Monitor2 v2.1 very good for Technique/Payload Detection via ETW Events) but if you want VirtualMemAlloc Events by ETW you can use VirtualMemAllocMon.exe v1.1 C# Source code which is Memory scanner based on ETW VirtualMemAlloc events.

Note: ETWProcessMon2.exe (v2.1) & ETWPM2Monitor2.exe (v2.1) published in "bin" directory. (8 Feb, 2022)

ETW Events in event log [ETWPM2]:

[Information] Event ID 1  => NewProcess event 
[Warning]     Event ID 2  => Remote-Thread-Injection Detection event 
[Information] Event ID 3  => TCPIP Send event

Build Project Note: you should install this nuget in your project for ETWProcessMon2

PM> Install-Package Microsoft.Diagnostics.Tracing.TraceEvent -Version 2.0.69            
or
PM> Install-Package Microsoft.Diagnostics.Tracing.TraceEvent -Version 2.0.70

md5 info [ETWProcessMon2.exe], "exe files are not safe here in github so make your own exe files with C# source by yourself [i recommend]":

b913a0d66d-750478c5a8-1d557aad377d => ETWProcessMon2.exe
951aef1888-093fca9e67-d881615ed10b => ETWProcessMon2.exe (v2.1) 16,May,2022

Videos:

Video: https://www.youtube.com/watch?v=DMtMTkAfFNo

this Video is for (Version 1), ETWProcessMon.exe v1 download & (step by step with details) => https://github.com/DamonMohammadbagher/ETWNetMonv3

Video [3], [Video-3 of Chapter15-Part2]: (video is about C# + ETW vs Process Hollowing, DInvoke (syscall),Loading dll/functions from Memory,Classic-RemoteThreadInjection)

C# + ETW vs Some Thread/Process/Code Injection Techniques (CH15-Part2):

link1 => https://www.youtube.com/watch?v=d1a8WqOvE84

link2 => https://share.vidyard.com/watch/4kB2Xy1bLfhRxaTD6pwaLD

VirtualMemAllocMon.exe v1.1 & VirtualMemAllocMon.exe v2.0

VirtualMemAllocMon is for Monitoring VirtualMemAlloc Event via ETW, when some Native APIs like "VirtualAllocEx" called by your code this event will happen via ETW. (Payload Detection by VirtualMemAlloc Events [in-memory] for All Processes).

"VirtualMemAllocMon" is simple tool for Monitor VirtualMemAlloc events in all Processes via ETW, with this code you can Monitor New VirtualMemAlloc Events for each Process, the goal is Payload Detection & my focus was on "Local Create Thread" & "Remote Thread Injection" + Meterpreter payload & Pe "MZ header" in-memory which made by Meterpreter x64 payload or Cobaltstrike x86 payload. this code will useful sometimes for Defenders & Blue Teamers but Pentesters/Red Teamers can use this too.

Video step by step for working with VirtualMemAllocMonv2.0 & v2.1 : https://www.youtube.com/watch?v=26ZBx5fw25s

md5 info:

25d54c2073-74411e9f4f-7488ee33cc78 => VirtualMemAllocMon.exe (v1.1) 16,May,2022
d42ca87133-977815440d-be8bd04c9589 => VirtualMemAllocMon.exe (v2.0.0.1) 16,May,2022
effd066c8c-d4d1f9db4d-8d78a501a075 => VirtualMemAllocMon.exe (v2.1.0.1) 01,Jan,2024

VirtualMemAllocMon v1.1 & Detecting Local Thread Injection Attack by sleep-mask method via ShellcodeFluctuation tool (Detecting payload in-memory before encoding via xor & Pe Header)

VirtualMemAllocMon v2.2 & Detecting EKKO Technique + JMP Method and ...

VirtualMemAllocMon v2.0 & VirtualMemAlloc ETW Event

VirtualMemAllocMon v1.1 &

Related Skills

tmux

341.6k

Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.

terraform-provider-genesyscloud

Terraform Provider Genesyscloud

blogwatcher

341.6k

Monitor blogs and RSS/Atom feeds for updates using the blogwatcher CLI.

prd

Raito Bitcoin ZK client web portal.

DamonMohammadbagher

View profile

View on GitHub
GitHub Stars320
CategoryOperations
Updated19d ago
Forks69
DamonMohammadbagher/ETWProcessMon2

Languages

C#

Security Score

85/100

Audited on Mar 11, 2026

No findings