# BEDaisy

reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's `MmGetSystemRoutineAddress` we can simply hook any imports
we want and have control flow over subsequent functions.

<img src="https://imgur.com/NFGyGrY.png"/>

# APCS

The below function will be executed in each thread that bedaisy registers an APC on.

```cpp
__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
{
  __int64 v4; // rbx

  __asm { rcl     bh, cl }
  v4 = *a3;
  *(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
  return KeSetEvent(v4 + 88, 0i64, 0i64);
}
```