IDontCode
/
BELog
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
reverse engineering of bedaisy.sys (battleyes kernel driver)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21 Commits
1 Branch
0 Tags
22 MiB
 
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7e6f25e3d1'
${ noResults }
Go to file
xerox 7e6f25e3d1
Update README.md 		4 years ago
BEDaisy init commit 4 years ago
DumpLog added runtime log! (3 games) 4 years ago
RuntimeLog drivers are from windows 10 2004 4 years ago
LICENSE Add LICENSE 4 years ago
README.md Update README.md 4 years ago

README.md

BEDaisy

reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's MmGetSystemRoutineAddress we can simply hook any imports we want and have control flow over subsequent functions.

APCS

The below function will be executed in each thread that bedaisy registers an APC on.

__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
{
  __int64 v4; // rbx

  __asm { rcl     bh, cl }
  v4 = *a3;
  *(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
  return KeSetEvent(v4 + 88, 0i64, 0i64);
}

Registeration of APCS:

    status = PsLookupThreadByThreadId(thread_id, &some_pethread);
    v17 = 0;
    if ( (int)status >= 0 )
    {
      allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
      allocated_pool_1 = allocated_pool;
      allocated_pool_2 = allocated_pool;
      if ( allocated_pool )
      {
        allocated_pool_plus_58 = allocated_pool + 0x58;
        KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
        __asm { rcl     cx, 0C6h }
        LOBYTE(v77) = 0;
        KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
        if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )

HWID

BEDaisy opens a handle to DR0 (disk.sys).

02646022	190.98799133	[GoodEye]ZwOpenFile called from: 0xFFFFF804DEFDB904	
02646023	190.98799133	[GoodEye]     - ZwOpenFile(\Device\Harddisk0\DR0)	
02646024	190.98869324	[GoodEye]     - ZwOpenFile handle result: 0xFFFFFFFF80003E28

BEDaisy then sends a few IOCTL's to disk.sys using ZwDeviceIoControlFile

02646049	190.99142456	[GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB94A	
02646050	190.99143982	[GoodEye]     - FileHandle: 0xFFFFFFFF80003E28	
02646051	190.99143982	[GoodEye]     - IoControlCode: 0x00000000002D1400	
02646052	190.99143982	[GoodEye]     - OutputBufferLength: 0x0000000000000008	
02646053	190.99143982	[GoodEye]     - InoutBufferLength: 0x000000000000000C

02646059	190.99192810	[GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB960	
02646060	190.99192810	[GoodEye]     - FileHandle: 0xFFFFFFFF80003E28	
02646061	190.99192810	[GoodEye]     - IoControlCode: 0x00000000002D1400	
02646062	190.99192810	[GoodEye]     - OutputBufferLength: 0x0000000000000000	
02646063	190.99194336	[GoodEye]     - InoutBufferLength: 0x000000000000000C

02646072	190.99209595	[GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB9B1	
02646073	190.99211121	[GoodEye]     - FileHandle: 0xFFFFFFFF80003E28	
02646074	190.99211121	[GoodEye]     - IoControlCode: 0x000000000007C088	
02646075	190.99211121	[GoodEye]     - OutputBufferLength: 0x0000000000000211	
02646076	190.99211121	[GoodEye]     - InoutBufferLength: 0x0000000000000021

IRP

BEDaisy checks the IRP's of every single loaded driver. Below is the checks done on dxgkrnl.sys on windows 10-2004. Base address of dxgkrnl.sys is 0xfffff80498f10000.

00042942	92.55983734	[GoodEye]gh_wcsnicmp called from: 0xFFFFF804DEFDD874	
00042943	92.55983734	[GoodEye]     - string1: C:\Windows\System32\drivers\dxgkrnl.sys	
00042944	92.55983734	[GoodEye]     - string2: C:\Windows\System32\drivers\dxgkrnl.sys	
00042945	92.55983734	[GoodEye]     - count: 0x27	
00042946	92.55996704	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFDD8B6	
00042947	92.55996704	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF80498F10000	
00042948	92.56076813	[GoodEye]ExFreePoolWithTag called from: 0xFFFFF804DEFDD8D7	
00042949	92.56076813	[GoodEye]     - Freeing pool at: 0xFFFFC8081516C850	
00042950	92.56076813	[GoodEye]     - Pool Tag: 0x0	
00042951	92.56208801	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042952	92.56209564	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8049905E400	
00042953	92.56209564	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042954	92.56209564	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042955	92.56209564	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042956	92.56209564	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8049905E400	
00042957	92.56209564	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042958	92.56209564	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042959	92.56209564	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042960	92.56210327	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042961	92.56210327	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042962	92.56210327	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042963	92.56210327	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042964	92.56210327	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042965	92.56211090	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042966	92.56211090	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042967	92.56211090	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042968	92.56211090	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042969	92.56211853	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042970	92.56211853	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042971	92.56211853	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042972	92.56211853	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042973	92.56211853	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042974	92.56212616	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042975	92.56212616	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042976	92.56212616	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042977	92.56212616	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042978	92.56212616	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042979	92.56213379	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042980	92.56213379	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF80498F516A0	
00042981	92.56213379	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042982	92.56213379	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF80499059670	
00042983	92.56214142	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042984	92.56214142	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8049916C4D0	
00042985	92.56214142	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042986	92.56214142	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042987	92.56214142	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042988	92.56214905	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042989	92.56214905	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042990	92.56214905	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042991	92.56214905	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042992	92.56214905	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042993	92.56215668	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042994	92.56215668	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042995	92.56215668	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042996	92.56215668	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042997	92.56215668	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00042998	92.56216431	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00042999	92.56216431	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00043000	92.56216431	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00043001	92.56216431	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00043002	92.56216431	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00043003	92.56217194	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00043004	92.56217194	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0	
00043005	92.56217194	[GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116	
00043006	92.56217194	[GoodEye]     - NonPaged VirtualAddress: 0xFFFFF8047EF364C0