Spectra

ETW Bypass and Telemetry Evasion Research Toolkit

Spectra is a research toolkit for studying Windows ETW (Event Tracing for Windows) telemetry and developing evasion techniques. It provides tools for ETW provider enumeration, trace session manipulation, event filtering/blocking, and telemetry analysis.

Educational and defensive security research only. See Disclaimer below.

Features

• Provider Enumeration — Discover and query all ETW providers on a system, including metadata extraction, keyword/level filtering, and CSV export
• Trace Session Management — Start, stop, query, and manipulate real-time ETW trace sessions with full configuration control
• Event Filtering Engine — Predicate-based event filtering with support for provider, event ID, level, keyword, and process-based filters
• ETW Patching Research — Study EtwEventWrite/NtTraceEvent patching techniques including return-early, NOP sled, and syscall redirect methods
• Provider Unregistration — Research force-unregistration of ETW providers and thread-level ETW suppression via NtSetInformationThread
• Trace Session Blinding — Techniques for suppressing event delivery including buffer exhaustion, session reconfiguration, and circular buffer overflow
• Telemetry Mapping — Map ETW providers to security products, analyze MITRE ATT&CK technique coverage, and detect installed security solutions
• Session Pool Exhaustion — Create dummy sessions to consume available trace session slots

Architecture

src/
  core/
    etw_provider.h/.cpp      ETW provider enumeration and metadata
    trace_session.h/.cpp      Trace session management (start/stop/query)
    event_filter.h/.cpp       Predicate-based event filtering engine
  evasion/
    patch_etw.h/.cpp          EtwEventWrite/NtTraceEvent patching
    provider_unregister.h/.cpp Provider unregistration techniques
    trace_blind.h/.cpp        Trace session blinding and suppression
  analysis/
    telemetry_map.h/.cpp      Provider-to-product mapping and coverage analysis
  utils/
    ntapi.h                   NT API definitions and syscall stubs
    memory.h/.cpp             Memory patching, pattern scanning, VirtualProtect RAII
  main.cpp                    CLI entry point with subcommands
tests/
  test_provider_enum.cpp      Provider enumeration unit tests
  test_event_filter.cpp       Event filter engine unit tests
docs/
  etw-internals.md            ETW architecture deep-dive
  evasion-techniques.md       Evasion techniques catalog

Build

Requirements

• Windows 10/11 (x64)
• Visual Studio 2019+ or MSVC Build Tools
• CMake 3.16+
• Windows SDK 10.0.19041.0+

Build Steps

mkdir build && cd build
cmake .. -G "Visual Studio 17 2022" -A x64
cmake --build . --config Release

Or with MSBuild:

mkdir build && cd build
cmake .. -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=Release
nmake

Run Tests

cd build
ctest -C Release --verbose

Usage

Enumerate ETW Providers

# List all providers
spectra.exe enumerate

# Filter by name
spectra.exe enumerate --filter "Kernel"

# Export to CSV
spectra.exe enumerate --csv providers.csv

Manage Trace Sessions

# List active sessions
spectra.exe trace list

# Start a new session
spectra.exe trace start --session MySession

# Stop a session
spectra.exe trace stop --session MySession

ETW Patching (Research)

# Patch EtwEventWrite with xor eax,eax; ret
spectra.exe patch EtwEventWrite --method xor

# Syscall-level patching
spectra.exe patch NtTraceEvent --method syscall

# Restore original bytes
spectra.exe patch EtwEventWrite --restore

Trace Session Blinding

# List security-relevant sessions
spectra.exe blind

# Blind a specific session
spectra.exe blind "EventLog-Security" --method reconfig

# Blind all non-kernel sessions
spectra.exe blind --all --method exhaust

Telemetry Analysis

# Full system analysis
spectra.exe analyze

# Show detected products
spectra.exe analyze --products

# Export report
spectra.exe analyze --report telemetry.json

Documentation

• ETW Internals Deep-Dive — Technical exploration of ETW architecture, buffer management, and undocumented structures
• Evasion Techniques Catalog — Comprehensive catalog of known ETW evasion techniques with detection guidance

Disclaimer

This toolkit is intended strictly for educational and defensive security research purposes. It is designed to help security researchers, blue team operators, and detection engineers understand ETW telemetry and evasion techniques in order to build more resilient detection systems.

Do not use this software against systems without explicit authorization. Unauthorized access to computer systems is illegal in most jurisdictions. The authors assume no liability for misuse of this software.

By using Spectra, you agree to use it only in accordance with applicable laws and regulations, and only on systems you own or have explicit permission to test.

Contact

• Email: contact@bypasscore.com
• Telegram: @bypasscore
• Web: bypasscore.com

Support

Help keep BypassCore open-source and independent.

Network	Address
Polygon	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Ethereum	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
BSC	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Arbitrum	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Optimism	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a
Avalanche	0xd0f38b51496bee61ea5e9e56e2c414b607ab011a

USDT / USDC / ETH / BNB accepted on all networks.

License

MIT License. See LICENSE for details.