There is nice trick to hide that your .NET assemblies does not have ETW logging
Lets see if we can detect this not from environment vars
ETW logging inited in mscorwks.dll!CEtwTracer::Register:
as you can see if ETW logging was disables all related ETW pfns will not be inited. So it`s enough to check in debugger values of
Lets see if we can detect this not from environment vars
ETW logging inited in mscorwks.dll!CEtwTracer::Register:
lea rcx, aEtwenabled ; "ETWEnabled"
mov [rsp+168h+var_148], 0
lea r9d, [rdx+1]
lea r8d, [rdx+7]
call ?GetConfigDWORD@EEConfig@@SAKPEBGKKHW4ConfigSearch@1@@Z
test eax, eax
jz loc_6427F59447D ; skiploc_6427F5943B8:
lea rcx, aAdvapi32_dll_3 ; "advapi32.dll"
call cs:__imp_GetModuleHandleW
test rax, rax
mov cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA, rax ; HINSTANCE__ * CEtwTracer::m_hModule
jz loc_6427F594473
lea rdx, aRegistertraceg ; "RegisterTraceGuidsW"
mov rcx, rax ; hModule
call cs:__imp_GetProcAddress
mov rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
lea rdx, aUnregistertrac ; "UnregisterTraceGuids"
mov cs:?g_pufnRegisterTraceGuids@@3P6AKP6AKW4WMIDPREQUESTCODE@@PEAXPEAK1@Z1PEBU_GUID@@KPEAU_TRACE_GUID_REGISTRATION@@PEBG6PEA_K@ZEA, rax ; ulong (*g_pufnRegisterTraceGuids)(ulong (*)(WMIDPREQUESTCODE,void *,ulong *,void *),void *,_GUID const *,ulong,_TRACE_GUID_REGISTRATION *,ushort const *,ushort const *,unsigned __int64 *)
call cs:__imp_GetProcAddress
mov rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
lea rdx, aGettracelogger ; "GetTraceLoggerHandle"
mov cs:?g_pufnUnregisterTraceGuids@@3P6AK_K@ZEA, rax ; ulong (*g_pufnUnregisterTraceGuids)(unsigned __int64)
call cs:__imp_GetProcAddress
mov rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
lea rdx, aGettraceenable ; "GetTraceEnableLevel"
mov cs:?g_pufnGetTraceLoggerHandle@@3P6A_KPEAX@ZEA, rax ; unsigned __int64 (*g_pufnGetTraceLoggerHandle)(void *)
call cs:__imp_GetProcAddress
mov rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
lea rdx, aGettraceenab_1 ; "GetTraceEnableFlags"
mov cs:?g_pufnGetTraceEnableLevel@@3P6AE_K@ZEA, rax ; uchar (*g_pufnGetTraceEnableLevel)(unsigned __int64)
call cs:__imp_GetProcAddress
mov rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
lea rdx, aTraceevent ; "TraceEvent"
mov cs:?g_pufnGetTraceEnableFlags@@3P6AK_K@ZEA, rax ; ulong (*g_pufnGetTraceEnableFlags)(unsigned __int64)
call cs:__imp_GetProcAddress
mov cs:?g_pufnTraceEvent@@3P6AK_KPEAU_EVENT_TRACE_HEADER@@@ZEA, rax ; ulong (*g_pufnTraceEvent)(unsigned __int64,_EVENT_TRACE_HEADER *)as you can see if ETW logging was disables all related ETW pfns will not be inited. So it`s enough to check in debugger values of
- g_pufnUnregisterTraceGuids
- g_pufnGetTraceEnableLevel
- g_pufnTraceEvent
- g_pufnGetTraceEnableFlags
- g_pufnGetTraceLoggerHandle
- g_pufnRegisterTraceGuids
If they contains NULL or some trash not from advapi32.dll - logging does not work