jdu2600/Etw-SyscallMonitor external links

---

GitHub - View repository

GitHub.dev - Open in online code editor

Star history - Growth chart over time

deps.dev - Dependencies and security vulnerabilities

Gitingest - Export source code for LLM usage

Repomix - Export source code for LLM usage

uithub - Export source code for LLM usage

Close

jdu2600/Etw-SyscallMonitor

Readme badge preview -

If you own this repo, copy the snippet below and add it to your README.md

---

Copy

[![RelatedRepos](https://img.shields.io/badge/related-repos-yellow)](https://relatedrepos.com/gh/jdu2600/Etw-SyscallMonitor)

Close

jdu2600 / Etw-SyscallMonitorView on GitHubMore

• External links
• Readme badge

Monitors ETW for security relevant syscalls maintaining the set called by each unique process

☆88May 17, 2023Updated 2 years ago

Alternatives and similar repositories for Etw-SyscallMonitor

Users that are interested in Etw-SyscallMonitor are comparing it to the libraries listed below

• jdu2600 / CFG-FindHiddenShellcode

  View on GitHub
  Walks the CFG bitmap to find previously executable but currently hidden shellcode regions
  ☆133May 17, 2023Updated 2 years ago
• jdu2600 / EtwTi-FluctuationMonitor

  View on GitHub
  Uses Threat-Intelligence ETW events to identify shellcode regions being hidden by fluctuating memory protections
  ☆169May 17, 2023Updated 2 years ago
• jonny-jhnson / ETWInspector

  View on GitHub
  ☆181Apr 24, 2025Updated 10 months ago
• gabriellandau / ShadowStackWalk

  View on GitHub
  Finding Truth in the Shadows
  ☆123Jan 26, 2023Updated 3 years ago
• thefLink / Hunt-Weird-ImageLoads

  View on GitHub
  Small tool to play with IOCs caused by Imageload events
  ☆44May 14, 2023Updated 2 years ago
• kleiton0x00 / Proxy-DLL-Loads

  View on GitHub
  A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.
  ☆411Jan 11, 2026Updated last month
• KelvinMsft / TechMyths

  View on GitHub
  ☆18Mar 28, 2023Updated 2 years ago
• zero2504 / EDR-GhostLocker

  View on GitHub
  AppLocker-Based EDR Neutralization
  ☆321Dec 19, 2025Updated 2 months ago
• pathtofile / Sealighter

  View on GitHub
  Sysmon-Like research tool for ETW
  ☆386Nov 15, 2022Updated 3 years ago
• xuanxuan0 / TiEtwAgent

  View on GitHub
  PoC memory injection detection agent based on ETW, for offensive and defensive research purposes
  ☆301Apr 10, 2021Updated 4 years ago
• jackullrich / syscall-detect

  View on GitHub
  PoC capable of detecting manual syscalls from usermode.
  ☆206Nov 13, 2025Updated 3 months ago
• whokilleddb / ETWListicle

  View on GitHub
  List the ETW provider(s) in the registration table of a process.
  ☆80Sep 20, 2023Updated 2 years ago
• thefLink / Hunt-Sleeping-Beacons

  View on GitHub
  Aims to identify sleeping beacons
  ☆662Jan 25, 2026Updated last month
• connormcgarr / EATGuard

  View on GitHub
  Implementation of an export address table protection mitigation, like Export Address Filtering (EAF)
  ☆115May 21, 2023Updated 2 years ago
• LloydLabs / ntqueueapcthreadex-ntdll-gadget-injection

  View on GitHub
  This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret …
  ☆263Apr 29, 2023Updated 2 years ago
• Midi12 / QueryWorkingSetExample

  View on GitHub
  Just an example of a well-known technique to detect memory tampering via Windows Working Sets.
  ☆18Jan 15, 2022Updated 4 years ago
• ToweringDragoon / SACL_Scanner

  View on GitHub
  SACL Scanner is a tool designed to scan and analyze SACLs.
  ☆51Feb 13, 2025Updated last year
• CognisysGroup / SweetDreams

  View on GitHub
  Implementation of Advanced Module Stomping and Heap/Stack Encryption
  ☆225Jul 25, 2023Updated 2 years ago
• N4kedTurtle / SharpTeamsDump

  View on GitHub
  Dump Teams conversations
  ☆18Jun 9, 2021Updated 4 years ago
• senzee1984 / EDRPrison

  View on GitHub
  Leverage a legitimate WFP callout driver to prevent EDR agents from sending telemetry
  ☆458Aug 2, 2024Updated last year
• DamonMohammadbagher / ETWProcessMon2

  View on GitHub
  ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detecti…
  ☆319Mar 20, 2024Updated last year
• 0xflux / Sanctum

  View on GitHub
  Sanctum is an experimental proof-of-concept EDR, designed to detect modern malware techniques, above and beyond the capabilities of antiv…
  ☆515Feb 15, 2026Updated 2 weeks ago
• rasta-mouse / PPEnum

  View on GitHub
  Simple BOF to read the protection level of a process
  ☆118May 10, 2023Updated 2 years ago
• NtDallas / OdinLdr

  View on GitHub
  Cobaltstrike Reflective Loader with Synthetic Stackframe
  ☆186Jan 17, 2026Updated last month
• fortra / hw-call-stack

  View on GitHub
  Use hardware breakpoints to spoof the call stack for both syscalls and API calls
  ☆203Jun 6, 2024Updated last year
• iilegacyyii / DataInject-BOF

  View on GitHub
  Hijacks code execution via overwriting Control Flow Guard pointers in combase.dll
  ☆137Apr 18, 2025Updated 10 months ago
• outflanknl / macho-loader

  View on GitHub
  Position-independent Reflective Loader for macOS
  ☆118Feb 19, 2026Updated 2 weeks ago
• EspressoCake / BOF_NativeAPI_Definitions-VSCode

  View on GitHub
  A VSCode plugin to assist with BOF development.
  ☆37Aug 14, 2024Updated last year
• JanielDary / ImmoralFiber

  View on GitHub
  Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) Phan…
  ☆283Sep 18, 2024Updated last year
• jdu2600 / API-To-ETW

  View on GitHub
  Uses ghidra to find all ETW write metadata for each API in a PE file
  ☆27Jul 26, 2024Updated last year
• hugsy / shared-kernel-user-section-driver

  View on GitHub
  Experiment to use sections as User/Kernelmode comm vector
  ☆22Apr 7, 2023Updated 2 years ago
• ElliotKillick / LdrLockLiberator

  View on GitHub
  For when DLLMain is the only way
  ☆424Oct 29, 2024Updated last year
• NtDallas / KrakenMask

  View on GitHub
  Sleep obfuscation
  ☆268Dec 13, 2024Updated last year
• jonny-jhnson / JonMon

  View on GitHub
  ☆252Jun 7, 2025Updated 8 months ago
• lap1nou / CLR_Heap_encryption

  View on GitHub
  ☆101Oct 7, 2023Updated 2 years ago
• Print3M / epic

  View on GitHub
  PIC shellcode (C/C++) development toolkit designed for malware developers.
  ☆122Dec 23, 2025Updated 2 months ago
• forrest-orr / moneta

  View on GitHub
  Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
  ☆807Mar 16, 2024Updated last year
• lem0nSec / CreateRemoteThreadPlus

  View on GitHub
  CreateRemoteThreadPlus: how to pass multiple parameters to the remote thread function without shellcode.
  ☆138Jul 10, 2025Updated 7 months ago
• CICADA8-Research / TypeLibWalker

  View on GitHub
  TypeLib persistence technique
  ☆140Oct 22, 2024Updated last year