this repo contains information to patch AMSI and ETW using a single byte patch for both.
The idea was to limit detection of the patch itself since it's a single byte.
The idea is that AMSI perform a lot of validation check before hitting the critical AMSI "check" code. You can simply toggle one of the jz for a jnz and vice versa.
The red arrow in tthe figure above is showing where the critical code is located.
Example of checks that can be toggled to avoid calling the critical code.
In this case we patch the jnz after the cmp dword ptr [rbx], 49534d41h.
the patch is simply Address of AmsiScanBuffer + 0x83 = 0x74 (x64)
Instead of patching EtwEventWrite simply patch the syscall NtTraceEvent which is called by a lot of functions.
As shown in the figure below NtTraceEvent is used by a lot of functions within ntdll.dll
The patch is simply force a return when the NtTraceEvent function is called NtTraceEvent = 0xc3 (x64)