From 3554a6200aa5418e32508882cf7f02d6bf9ab644 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 17 Aug 2020 22:18:51 +0000 Subject: [PATCH] Update README.md --- README.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/README.md b/README.md index 84304db..54feae8 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,8 @@ # badeye -Its well known that battleye proxies calls to `NtReadVirtualMemory/NtWriteVirtualMemory` to their driver via DeviceIoControl in both `lsass.exe` and `csrss.exe`. Although csrss.exe -is not something you can inject from usermode, lsass.exe is (although it can be protected, depends on your system/hvci). - -The reason this proxy of a syscall is a vulnerability is simply because their is no validation of R/W access on the specified handle passed to `BEDaisy`. In other words: you can -open a handle with `PROCESS_QUERY_LIMITED_INFORMATION` and use that handle to read/write any usermode memory that is also read/writeable. The handle access is not important to bedaisy -rather they use the handle to get the EPROCESS of the process that the handle is opened on. - -As you can see you can open any handle with any access and then pass it along to bedaisy and it will read/write for you... # lsass.exe/csrss.exe