|
|
|
|
@ -4,3 +4,19 @@ reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on
|
|
|
|
|
we want and have control flow over subsequent functions.
|
|
|
|
|
|
|
|
|
|
<img src="https://imgur.com/NFGyGrY.png"/>
|
|
|
|
|
|
|
|
|
|
# APCS
|
|
|
|
|
|
|
|
|
|
The below function will be executed in each thread that bedaisy registers an APC on.
|
|
|
|
|
|
|
|
|
|
```cpp
|
|
|
|
|
__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
|
|
|
|
|
{
|
|
|
|
|
__int64 v4; // rbx
|
|
|
|
|
|
|
|
|
|
__asm { rcl bh, cl }
|
|
|
|
|
v4 = *a3;
|
|
|
|
|
*(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
|
|
|
|
|
return KeSetEvent(v4 + 88, 0i64, 0i64);
|
|
|
|
|
}
|
|
|
|
|
```
|
xerox
4 years ago