You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
xerox
032ac66cfd
|
4 years ago | |
|---|---|---|
| BEDaisy | 4 years ago | |
| DumpLog | 4 years ago | |
| RuntimeLog | 4 years ago | |
| LICENSE | 4 years ago | |
| README.md | 4 years ago | |
README.md
BEDaisy
reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's MmGetSystemRoutineAddress we can simply hook any imports
we want and have control flow over subsequent functions.
APCS
The below function will be executed in each thread that bedaisy registers an APC on.
__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
{
__int64 v4; // rbx
__asm { rcl bh, cl }
v4 = *a3;
*(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
return KeSetEvent(v4 + 88, 0i64, 0i64);
}
Registeration of APCS:
status = PsLookupThreadByThreadId(thread_id, &some_pethread);
v17 = 0;
if ( (int)status >= 0 )
{
allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
allocated_pool_1 = allocated_pool;
allocated_pool_2 = allocated_pool;
if ( allocated_pool )
{
allocated_pool_plus_58 = allocated_pool + 0x58;
KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
__asm { rcl cx, 0C6h }
LOBYTE(v77) = 0;
KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )
HWID
BEDaisy opens a handle to DR0 (disk.sys).
02646022 190.98799133 [GoodEye]ZwOpenFile called from: 0xFFFFF804DEFDB904
02646023 190.98799133 [GoodEye] - ZwOpenFile(\Device\Harddisk0\DR0)
02646024 190.98869324 [GoodEye] - ZwOpenFile handle result: 0xFFFFFFFF80003E28
BEDaisy then sends a few IOCTL's to disk.sys using ZwDeviceIoControlFile
02646049 190.99142456 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB94A
02646050 190.99143982 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
02646051 190.99143982 [GoodEye] - IoControlCode: 0x00000000002D1400
02646052 190.99143982 [GoodEye] - OutputBufferLength: 0x0000000000000008
02646053 190.99143982 [GoodEye] - InoutBufferLength: 0x000000000000000C
02646059 190.99192810 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB960
02646060 190.99192810 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
02646061 190.99192810 [GoodEye] - IoControlCode: 0x00000000002D1400
02646062 190.99192810 [GoodEye] - OutputBufferLength: 0x0000000000000000
02646063 190.99194336 [GoodEye] - InoutBufferLength: 0x000000000000000C
02646072 190.99209595 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB9B1
02646073 190.99211121 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
02646074 190.99211121 [GoodEye] - IoControlCode: 0x000000000007C088
02646075 190.99211121 [GoodEye] - OutputBufferLength: 0x0000000000000211
02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021
IRP
Below you can see that bedaisy calls MmIsAddressValid on every single IRP of every single driver. Below is dxgkrnl.sys.
00052032 94.91796112 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052033 94.91796112 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F01510
00052034 94.91796112 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052035 94.91796112 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052036 94.91796112 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052037 94.91796875 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F011B0
00052038 94.91796875 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052039 94.91796875 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052040 94.91796875 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052041 94.91796875 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052042 94.91797638 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052043 94.91797638 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052044 94.91797638 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052045 94.91797638 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052046 94.91797638 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052047 94.91798401 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052048 94.91798401 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052049 94.91798401 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052050 94.91798401 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052051 94.91798401 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052052 94.91799164 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052053 94.91799164 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052054 94.91799164 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052055 94.91799164 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052056 94.91799164 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052057 94.91799927 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052058 94.91799927 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052059 94.91799927 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052060 94.91799927 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052061 94.91799927 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F01290
00052062 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052063 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052064 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052065 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052066 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052067 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052068 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052069 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F01070
00052070 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052071 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052072 94.91801453 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052073 94.91801453 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052074 94.91801453 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052075 94.91801453 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052076 94.91801453 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052077 94.91802216 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052078 94.91802216 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052079 94.91802216 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052080 94.91802216 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052081 94.91802216 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052082 94.91802979 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052083 94.91802979 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052084 94.91802979 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052085 94.91802979 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00052086 94.91802979 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00052087 94.91803741 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0