IDontCode
/
badeye
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'edef0b233e'
${ noResults }
badeye/README.md

12 lines
935 B
Raw Normal View History Unescape

Initial commit
4 years ago
# badeye
Update README.md
4 years ago
Its well known that battleye proxies calls to `NtReadVirtualMemory/NtWriteVirtualMemory` to their driver via DeviceIoControl in both `lsass.exe` and `csrss.exe`. Although csrss.exe
is not something you can inject from usermode, lsass.exe is (although it can be protected, depends on your system/hvci).
Update README.md
4 years ago
Update README.md
4 years ago
The reason this proxy of a syscall is a vulnerability is simply because their is no validation of R/W access on the specified handle passed to `BEDaisy`. In other words: you can
open a handle with `PROCESS_QUERY_LIMITED_INFORMATION` and use that handle to read/write any usermode memory that is also read/writeable. The handle access is not important to bedaisy
Update README.md
4 years ago
rather they use the handle to get the EPROCESS of the process that the handle is opened on.
<img src="https://imgur.com/fdthCQb.png"/>
As you can see you can open any handle with any access and then pass it along to bedaisy and it will read/write for you...