Quickly search for references to a GUID in DLLs, EXEs, and drivers
.\FindETWProviderImage.exe "<{provider-guid}|Provider-Name>" "\path\to\search\directory"
demo.mp4
Since the tool is only returning basic offsets/RVAs, you'll still need to disassemble the image in Ghidra/IDA/etc.
My workflow is to load the image into the disassembler, do the initial automatic analysis, and then look for cross-references to the offset/RVA, specifically ones coming from EventRegister() (user mode) and EtwRegister() (kernel mode).
- Add checks for
EventRegister()andEtwRegister()to help identify providers - Add provider name to GUID resolution functionality
- If a provider name was specified, translate it to a GUID by parsing the registry and return the image if found there
- Recursively search the supplied directory for files ending with
.dll,.exe, or.sys - Use a Boyer-Moore search to parse each of the files for the target GUID across 4 threads
- If references are found in the image, return the offset and relative virtual address (RVA) of each reference
Thanks to Matt Graeber (@mattifestation) for the original idea of identifying provider images by locating GUIDs inside the files