According to Microsoft, Event Tracing for Windows (ETW) is a kernel-level mechanism in Windows OS that enables tracing and logging of kernel & user-application events. Whether you realize it or not, ETW is deeply integrated in the entirety of Windows Internals to detect malicious use of .NET assemblies.
Alternative ETW Patching
From an offensive perspective, we know that ETW events are sent from userland, and these ETW events are issued from within a process that we control. Just like any other security model that relies on user-application to behave correctly, this will never end up in the favor of security, which brings us to the famous one-byte patch of ETW/AMSI.
Traditional Patching
Majority of well-known ETW patching methods from MDSec & binarly.io suggest patching ntdll!ETWEventWrite. This is a trendy patching technique, so we want to avoid it.
Locating ETW Events
First, fire up IDA Pro to look for potential candidates to patch. We'll start by analyzing amsi.dll and look for AmsiScanBuffer from the Export Address Table (EAT).
In one of the branches, AmsiScanBuffer will end up calling some dodgy looking function like WPP_SF_qqDqq. Looking up this term from MSDN suggests that Windows Software Trace Preprocessor (WPP) is related to ETW.
Continue to trace the function call from WPP will soon leads us to TraceMessage.
As usual, we'll try seeking help from MSDN since we have no idea what the API mean.
Interesting enough, TraceMessage is an API that belongs in advapi32.dll.
Open up advapi32.dll in IDA and continue following the API calls until we eventually reach a syscall stub.
At this point onwards, ntdll!NtTraceEvent is the lowest level possible that we can reach from user-land before a syscall, so we will be patching this API call to neutralize ETW.
To verify the level of granular coverage we have by patching NtTraceEvent, look up the xrefs of the API. Notice how most of the caller function is associated with EtwEventWrite anyway, so we are better off by patching NtTraceEvent.
At the point of writing, there seems to be another NT level API that is associated to ETW as well, known as NtTraceControl. However, it has lesser xrefs, meaning we will have lesser coverage by patching this.
Not to forget, most of the caller e.g. EtwRegisterSecurityProvider and EtwUserDescriptorType seems to be responsible of setting up ETW itself rather than writing ETW events, so patching this API will provide no advantage to us from an evasion perspective.