From 458c21ccd932c85614c0eae12ff40b3568c27768 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 17 Aug 2020 22:44:32 +0000 Subject: [PATCH] Update README.md --- README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 75d2417..6d952bf 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -# i am writing this atm so come back later - # BadEye BattlEye proxies NtReadVirtualMemory and NtWriteVirtualMemory in lsass.exe/csrss.exe but doesnt bother to check the handle privilage.... @@ -43,10 +41,20 @@ This inline hook jumps to shellcode that packages all of the parameter values pa Now that you have a basic understanding of how this system works (and sorta why it is), lets look at what we can do! -To begin we need to extract the driver handle at runtime, this can be done simply by extracting the address of the shellcode out of the inline hook of `NtReadVirtualMemory`. Nnow that we have +To begin we need to extract the driver handle at runtime, this can be done simply by extracting the address of the shellcode out of the inline hook of `NtReadVirtualMemory`. Now that we have the handle to the driver we can start sending IOCTL's to BattlEye. The IOCTL data is not encrypted nor complicated... this is what it looks like: - +```cpp + struct beioctl + { + void* ret_addr; + HANDLE handle; + void* base_addr; + void* buffer; + size_t buffer_size; + size_t* bytes_read; + }; +```