FindETWProviderImage
Quickly search for references to a GUID in DLLs, EXEs, and drivers
Usage:
.\FindETWProviderImage.exe "your-guid-here" "\path\to\search\directory"
demo.mp4
What Next?
Since the tool is only returning basic offsets/RVAs, you'll still need to disassemble the image in Ghidra/IDA/etc.
My workflow is to load the image into the disassembler, do the initial automatic analysis, and then look for cross-references to the offset/RVA, specifically ones coming from EventRegister()
(user mode) and EtwRegister()
(kernel mode).
To Do:
- Add checks for
EventRegister()
andEtwRegister()
to help identify providers - Add provider name to GUID resolution functionality
How it Works
- Recursively search the supplied directory for files ending with
.dll
,.exe
, or.sys
- Use a Boyer-Moore search to parse each of the files for the target GUID across 4 threads
- If references are found in the image, return the offset and relative virtual address (RVA) of each reference
Credits
Thanks to Matt Graeber (@mattifestation) for the original idea of identifying provider images by locating GUIDs inside the files