You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
xerox
f4136b13e3
|
4 years ago | |
---|---|---|
BEDaisy | 4 years ago | |
BEDaisy.i64 | 4 years ago | |
BEDaisy.sys | 4 years ago | |
GoodEye_Import_Address.LOG | 4 years ago | |
LICENSE | 4 years ago | |
README.md | 4 years ago |
README.md
BEDaisy
reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's MmGetSystemRoutineAddress
we can simply hook any imports
we want and have control flow over subsequent functions.
APCS
The below function will be executed in each thread that bedaisy registers an APC on.
__int64 __usercall apc_callback@<rax>(char _CL@<cl>, char _BH@<bh>, __int64 *a3@<r9>)
{
__int64 v4; // rbx
__asm { rcl bh, cl }
v4 = *a3;
*(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
return KeSetEvent(v4 + 88, 0i64, 0i64);
}
Registeration of APCS:
current_thread_id = PsLookupThreadByThreadId(thread_id, &some_pethread);
v17 = 0;
if ( (int)current_thread_id >= 0 )
{
allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
allocated_pool_1 = allocated_pool;
allocated_pool_2 = allocated_pool;
if ( allocated_pool )
{
allocated_pool_plus_58 = allocated_pool + 0x58;
KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
__asm { rcl cx, 0C6h }
LOBYTE(v77) = 0;
KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )
```