updated example and cleaned some code

master
xerox 4 years ago
parent 897859cbc5
commit c4ee1817a8

@ -24,6 +24,7 @@
<ProjectGuid>{faadd55d-e2c8-4e6d-be7e-6d8b5209f4f0}</ProjectGuid> <ProjectGuid>{faadd55d-e2c8-4e6d-be7e-6d8b5209f4f0}</ProjectGuid>
<RootNamespace>badeye</RootNamespace> <RootNamespace>badeye</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion> <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>badeye</ProjectName>
</PropertyGroup> </PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
@ -78,9 +79,11 @@
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental> <LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)</TargetName>
</PropertyGroup> </PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental> <LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName)</TargetName>
</PropertyGroup> </PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile> <ClCompile>
@ -116,6 +119,7 @@
<SDLCheck>true</SDLCheck> <SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode> <ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard>
</ClCompile> </ClCompile>
<Link> <Link>
<SubSystem>Console</SubSystem> <SubSystem>Console</SubSystem>
@ -148,6 +152,9 @@
<ItemGroup> <ItemGroup>
<ClInclude Include="nozzle.hpp" /> <ClInclude Include="nozzle.hpp" />
</ItemGroup> </ItemGroup>
<ItemGroup>
<ResourceCompile Include="icon.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">
</ImportGroup> </ImportGroup>

@ -9,6 +9,9 @@
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions> <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter> </Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{7d90a3bf-3270-443e-8add-02f28e77071a}</UniqueIdentifier>
</Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="nozzle.hpp"> <ClInclude Include="nozzle.hpp">
@ -20,4 +23,9 @@
<Filter>Source Files</Filter> <Filter>Source Files</Filter>
</ClCompile> </ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup>
<ResourceCompile Include="icon.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project> </Project>

@ -0,0 +1,3 @@
// Icon Resource Definition
#define MAIN_ICON 102
MAIN_ICON ICON "small.ico"

@ -9,7 +9,13 @@ int main(const int argc, const char** argv)
return -1; return -1;
} }
const auto lsass_pid = util::get_process_id(L"lsass.exe"); if (!util::get_pid(L"BEService.exe"))
{
std::perror("[-] please run BattlEye...\n");
return -1;
}
const auto lsass_pid = util::get_pid(L"lsass.exe");
std::printf("[+] lsass_pid => %p\n", lsass_pid); std::printf("[+] lsass_pid => %p\n", lsass_pid);
nozzle::injector inject(argv[1], lsass_pid); nozzle::injector inject(argv[1], lsass_pid);

@ -104,7 +104,7 @@ namespace util
data.insert(data.begin(), std::istream_iterator<uint8_t>(fstr), std::istream_iterator<uint8_t>()); data.insert(data.begin(), std::istream_iterator<uint8_t>(fstr), std::istream_iterator<uint8_t>());
} }
inline uint32_t get_process_id(const std::wstring_view process_name) inline uint32_t get_pid(const std::wstring_view process_name)
{ {
// open a system snapshot of all loaded processes // open a system snapshot of all loaded processes
uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle }; uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle };
@ -506,7 +506,7 @@ namespace nozzle
void injector::set_target(std::wstring proc_name) void injector::set_target(std::wstring proc_name)
{ {
target_pid = util::get_process_id(proc_name); target_pid = util::get_pid(proc_name);
} }
void* injector::get_pe_image() const void* injector::get_pe_image() const

Binary file not shown.

After

Width:  |  Height:  |  Size: 222 KiB

@ -10,7 +10,7 @@ using ioctl_data = struct { HANDLE drv_handle; void* return_addr; };
namespace bedaisy namespace bedaisy
{ {
struct beioctl struct beioctl_t
{ {
void* ret_addr; void* ret_addr;
void* handle; void* handle;
@ -20,7 +20,7 @@ namespace bedaisy
size_t* bytes_read; size_t* bytes_read;
}; };
inline ioctl_data get_ioctl_data() __forceinline ioctl_data get_ioctl_data()
{ {
const auto wpm = const auto wpm =
reinterpret_cast<std::uint8_t*>( reinterpret_cast<std::uint8_t*>(
@ -47,20 +47,20 @@ namespace bedaisy
return { {}, {} }; return { {}, {} };
} }
inline void read(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size) __forceinline void read(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size)
{ {
if (!addr || !buffer || !size) if (!addr || !buffer || !size)
return; return;
const auto [daisy_handle, return_addr] = get_ioctl_data(); const auto [daisy_handle, return_addr] = get_ioctl_data();
const beioctl ioctl_data beioctl_t ioctl_data
{ {
return_addr, return_addr,
proc_handle, proc_handle,
addr, addr,
buffer, buffer,
size, size,
(size_t*)0xFFFFFFF3423424 nullptr
}; };
DWORD bytes_read; DWORD bytes_read;
@ -72,18 +72,18 @@ namespace bedaisy
sizeof ioctl_data, sizeof ioctl_data,
nullptr, nullptr,
NULL, NULL,
&bytes_read, (LPDWORD)&bytes_read,
nullptr nullptr
); );
} }
void write(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size) __forceinline void write(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size)
{ {
if (!proc_handle || !addr) if (!proc_handle || !addr)
return; return;
const auto [daisy_handle, return_addr] = get_ioctl_data(); const auto [daisy_handle, return_addr] = get_ioctl_data();
const beioctl ioctl_data beioctl_t ioctl_data
{ {
return_addr, return_addr,
proc_handle, proc_handle,
@ -108,7 +108,7 @@ namespace bedaisy
} }
template <class T> template <class T>
inline T read(HANDLE proc_handle, std::uintptr_t addr) __forceinline T read(HANDLE proc_handle, std::uintptr_t addr)
{ {
if (!addr || !proc_handle) if (!addr || !proc_handle)
return {}; return {};
@ -119,7 +119,7 @@ namespace bedaisy
} }
template <class T> template <class T>
inline void write(HANDLE proc_handle, std::uintptr_t addr, const T& data) __forceinline void write(HANDLE proc_handle, std::uintptr_t addr, const T& data)
{ {
if (!proc_handle || !addr) if (!proc_handle || !addr)
return; return;

@ -1,29 +1,34 @@
#include "rust.hpp" #include "utils.hpp"
void example() void run_example()
{ {
OutputDebugStringA("[lsass] main thread created!"); OutputDebugStringA("[lsass] main thread created!");
const auto proc_handle = const auto proc_handle =
OpenProcess( OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, utils::get_pid(L"notepad.exe"));
PROCESS_QUERY_INFORMATION, FALSE,
utils::get_pid(L"RustClient.exe")
);
if (proc_handle) if (proc_handle == INVALID_HANDLE_VALUE)
{ {
rust::set_fov(proc_handle, 120.f); OutputDebugStringA("[lsass] failed to open handle to system process...");
OutputDebugStringA("[lsass] set fov!"); return;
}
} }
const auto ntdll_base =
reinterpret_cast<std::uintptr_t>(GetModuleHandleA("ntdll.dll"));
if (bedaisy::read<short>(proc_handle, ntdll_base) == IMAGE_DOS_SIGNATURE)
OutputDebugStringA("[lsass] read ntdll MZ from notepad.exe using BEDaisy.sys...\n");
else
OutputDebugStringA("[lsass] failed to read MZ...\n");
}
std::atomic<bool> init = false; std::atomic<bool> init = false;
extern "C" NTSTATUS nt_close(void* handle) extern "C" auto nt_close(void* handle) -> NTSTATUS
{ {
if (!init.exchange(true)) if (!init.exchange(true))
{ {
OutputDebugStringA("[lsass] creating thread!"); OutputDebugStringA("[lsass] creating thread!");
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&example, NULL, NULL, NULL); CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&run_example, NULL, NULL, NULL);
} }
return NULL; return NULL;
} }

@ -165,7 +165,6 @@
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="bedaisy.hpp" /> <ClInclude Include="bedaisy.hpp" />
<ClInclude Include="rust.hpp" />
<ClInclude Include="utils.hpp" /> <ClInclude Include="utils.hpp" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

@ -21,8 +21,5 @@
<ClInclude Include="utils.hpp"> <ClInclude Include="utils.hpp">
<Filter>Header Files</Filter> <Filter>Header Files</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="rust.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>

@ -1,30 +0,0 @@
#pragma once
#include "utils.hpp"
#define GFX_MANAGER 0x28C6F30
#define CAMERA_MANAGER 0xB8
#define CAMERA_FOV 0x18
namespace rust
{
void set_fov(HANDLE proc_handle, float fov_value)
{
const auto asm_base = utils::get_module_base(proc_handle, L"GameAssembly.dll");
if (!asm_base)
return;
const auto gfx_manager = bedaisy::read<std::uintptr_t>(
proc_handle, asm_base + GFX_MANAGER);
if (!gfx_manager)
return;
const auto camera_manager = bedaisy::read<std::uintptr_t>(
proc_handle, gfx_manager + CAMERA_MANAGER);
if (!camera_manager)
return;
bedaisy::write<float>(proc_handle, camera_manager + CAMERA_FOV, fov_value);
}
}

@ -7,17 +7,17 @@
namespace utils namespace utils
{ {
struct nt_peb typedef struct _nt_peb
{ {
std::uintptr_t res[2]; std::uintptr_t res[2];
std::uintptr_t image_base; std::uintptr_t image_base;
std::uintptr_t ldr; std::uintptr_t ldr;
std::uintptr_t proc_params; std::uintptr_t proc_params;
}; } nt_peb;
inline uint32_t get_pid(const std::wstring_view process_name) __forceinline auto get_pid(const std::wstring_view process_name) -> std::uint32_t
{ {
const auto handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); const auto handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (handle == INVALID_HANDLE_VALUE) if (handle == INVALID_HANDLE_VALUE)
return !CloseHandle(handle); return !CloseHandle(handle);
@ -34,7 +34,7 @@ namespace utils
return NULL; return NULL;
} }
inline PPEB get_process_peb(const HANDLE process_handle) __forceinline auto get_process_peb(const HANDLE process_handle) -> nt_peb*
{ {
PROCESS_BASIC_INFORMATION process_info{}; PROCESS_BASIC_INFORMATION process_info{};
ULONG bytes_returned; ULONG bytes_returned;
@ -47,20 +47,18 @@ namespace utils
&bytes_returned &bytes_returned
) != ERROR_SUCCESS) ) != ERROR_SUCCESS)
return nullptr; return nullptr;
return process_info.PebBaseAddress;
return reinterpret_cast<utils::nt_peb*>(process_info.PebBaseAddress);
} }
// could do a snapshot but i have this code handy atm... __forceinline auto get_proc_base(const HANDLE proc_handle) -> std::uintptr_t
inline std::uintptr_t get_proc_base(const HANDLE proc_handle)
{ {
if (!proc_handle) return {};
const auto ppeb = reinterpret_cast<std::uintptr_t>(get_process_peb(proc_handle)); const auto ppeb = reinterpret_cast<std::uintptr_t>(get_process_peb(proc_handle));
const auto peb = bedaisy::read<nt_peb>(proc_handle, ppeb); const auto peb = bedaisy::read<nt_peb>(proc_handle, ppeb);
return peb.image_base; return peb.image_base;
} }
// could do a snapshot but i have this code handy atm... __forceinline auto get_module_base(const HANDLE proc_handle, const wchar_t* module_handle) -> std::uintptr_t
inline std::uintptr_t get_module_base(const HANDLE proc_handle, const wchar_t* module_handle)
{ {
const auto ppeb = reinterpret_cast<std::uintptr_t>(get_process_peb(proc_handle)); const auto ppeb = reinterpret_cast<std::uintptr_t>(get_process_peb(proc_handle));
const auto peb = bedaisy::read<nt_peb>(proc_handle, ppeb); const auto peb = bedaisy::read<nt_peb>(proc_handle, ppeb);

Binary file not shown.

Binary file not shown.

@ -0,0 +1,2 @@
[LocalizedFileNames]
Command Prompt.lnk=@%SystemRoot%\system32\shell32.dll,-22022

@ -0,0 +1,2 @@
start notepad.exe
start badeye.exe inside.dll

Binary file not shown.
Loading…
Cancel
Save