Update README.md

master
xerox 4 years ago
parent 8c28418e09
commit 83da9883ac

@ -6,6 +6,10 @@ BattlEye proxies NtReadVirtualMemory and NtWriteVirtualMemory in lsass.exe/csrss
<img src="https://imgur.com/5MjFoHg.png"/> <img src="https://imgur.com/5MjFoHg.png"/>
you cannot use this to read/write the process that battleye is protecting but you can use
this to read/write any other process you can open a simple handle too. `Rust`, `Valorant`, you name it, just open a `PROCESS_QUERY_LIMITED_INFORMATION` handle and pass it to `BEDaisy`. The reason
this works is two fold, firstly BattlEye assumes that the handle already has this access, secondly BattlEye only uses the handle to get the `EPROCESS` so they can call `MmCopyVirtualMemory`. You can see
this in my runtime logs of `BEDaisy`.
# lsass.exe/csrss.exe # lsass.exe/csrss.exe
@ -44,11 +48,5 @@ the handle to the driver we can start sending IOCTL's to BattlEye. The IOCTL dat
<img src="https://imgur.com/fa627q3.png"/> <img src="https://imgur.com/fa627q3.png"/>
# limitations
Now that we can ask BEDaisy to read/write for us, what are the limitations? Well first off you cannot use this to read/write the process that battleye is protecting but you can use
this to read/write any other process you can open a simple handle too. `Rust`, `Valorant`, you name it, just open a `PROCESS_QUERY_LIMITED_INFORMATION` handle and pass it to `BEDaisy`. The reason
this works is two fold, firstly BattlEye assumes that the handle already has this access, secondly BattlEye only uses the handle to get the `EPROCESS` so they can call `MmCopyVirtualMemory`. You can see
this in my runtime logs of `BEDaisy`.

Loading…
Cancel
Save