You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
136 lines
7.4 KiB
136 lines
7.4 KiB
# BEDaisy
|
|
|
|
reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's `MmGetSystemRoutineAddress` we can simply hook any imports
|
|
we want and have control flow over subsequent functions.
|
|
|
|
<img src="https://imgur.com/NFGyGrY.png"/>
|
|
|
|
# APCS
|
|
|
|
The below function will be executed in each thread that bedaisy registers an APC on.
|
|
|
|
```cpp
|
|
__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
|
|
{
|
|
__int64 v4; // rbx
|
|
|
|
__asm { rcl bh, cl }
|
|
v4 = *a3;
|
|
*(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
|
|
return KeSetEvent(v4 + 88, 0i64, 0i64);
|
|
}
|
|
```
|
|
|
|
Registeration of APCS:
|
|
|
|
```cpp
|
|
status = PsLookupThreadByThreadId(thread_id, &some_pethread);
|
|
v17 = 0;
|
|
if ( (int)status >= 0 )
|
|
{
|
|
allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
|
|
allocated_pool_1 = allocated_pool;
|
|
allocated_pool_2 = allocated_pool;
|
|
if ( allocated_pool )
|
|
{
|
|
allocated_pool_plus_58 = allocated_pool + 0x58;
|
|
KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
|
|
__asm { rcl cx, 0C6h }
|
|
LOBYTE(v77) = 0;
|
|
KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
|
|
if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )
|
|
```
|
|
|
|
# HWID
|
|
|
|
BEDaisy opens a handle to DR0 (disk.sys).
|
|
|
|
```
|
|
02646022 190.98799133 [GoodEye]ZwOpenFile called from: 0xFFFFF804DEFDB904
|
|
02646023 190.98799133 [GoodEye] - ZwOpenFile(\Device\Harddisk0\DR0)
|
|
02646024 190.98869324 [GoodEye] - ZwOpenFile handle result: 0xFFFFFFFF80003E28
|
|
```
|
|
|
|
BEDaisy then sends a few IOCTL's to disk.sys using `ZwDeviceIoControlFile`
|
|
```
|
|
02646049 190.99142456 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB94A
|
|
02646050 190.99143982 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
|
|
02646051 190.99143982 [GoodEye] - IoControlCode: 0x00000000002D1400
|
|
02646052 190.99143982 [GoodEye] - OutputBufferLength: 0x0000000000000008
|
|
02646053 190.99143982 [GoodEye] - InoutBufferLength: 0x000000000000000C
|
|
|
|
02646059 190.99192810 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB960
|
|
02646060 190.99192810 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
|
|
02646061 190.99192810 [GoodEye] - IoControlCode: 0x00000000002D1400
|
|
02646062 190.99192810 [GoodEye] - OutputBufferLength: 0x0000000000000000
|
|
02646063 190.99194336 [GoodEye] - InoutBufferLength: 0x000000000000000C
|
|
|
|
02646072 190.99209595 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB9B1
|
|
02646073 190.99211121 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
|
|
02646074 190.99211121 [GoodEye] - IoControlCode: 0x000000000007C088
|
|
02646075 190.99211121 [GoodEye] - OutputBufferLength: 0x0000000000000211
|
|
02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021
|
|
```
|
|
|
|
# IRP
|
|
|
|
Below you can see that bedaisy calls `MmIsAddressValid` on every single IRP of every single driver. Below is `dxgkrnl.sys`.
|
|
|
|
```
|
|
00052032 94.91796112 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052033 94.91796112 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F01510
|
|
00052034 94.91796112 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052035 94.91796112 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052036 94.91796112 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052037 94.91796875 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F011B0
|
|
00052038 94.91796875 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052039 94.91796875 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052040 94.91796875 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052041 94.91796875 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052042 94.91797638 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052043 94.91797638 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052044 94.91797638 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052045 94.91797638 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052046 94.91797638 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052047 94.91798401 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052048 94.91798401 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052049 94.91798401 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052050 94.91798401 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052051 94.91798401 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052052 94.91799164 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052053 94.91799164 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052054 94.91799164 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052055 94.91799164 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052056 94.91799164 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052057 94.91799927 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052058 94.91799927 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052059 94.91799927 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052060 94.91799927 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052061 94.91799927 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F01290
|
|
00052062 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052063 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052064 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052065 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052066 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052067 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052068 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052069 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F01070
|
|
00052070 94.91800690 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052071 94.91800690 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052072 94.91801453 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052073 94.91801453 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052074 94.91801453 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052075 94.91801453 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052076 94.91801453 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052077 94.91802216 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052078 94.91802216 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052079 94.91802216 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052080 94.91802216 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052081 94.91802216 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052082 94.91802979 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052083 94.91802979 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052084 94.91802979 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052085 94.91802979 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
00052086 94.91802979 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
|
|
00052087 94.91803741 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
|
|
``` |