updated example and cleaned some code

master
xerox 4 years ago
parent 897859cbc5
commit c4ee1817a8

@ -24,6 +24,7 @@
<ProjectGuid>{faadd55d-e2c8-4e6d-be7e-6d8b5209f4f0}</ProjectGuid>
<RootNamespace>badeye</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>badeye</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
@ -78,9 +79,11 @@
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
<TargetName>$(ProjectName)</TargetName>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<TargetName>$(ProjectName)</TargetName>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
@ -116,6 +119,7 @@
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -148,6 +152,9 @@
<ItemGroup>
<ClInclude Include="nozzle.hpp" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="icon.rc" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>

@ -9,6 +9,9 @@
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{7d90a3bf-3270-443e-8add-02f28e77071a}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClInclude Include="nozzle.hpp">
@ -20,4 +23,9 @@
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="icon.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
</Project>

@ -0,0 +1,3 @@
// Icon Resource Definition
#define MAIN_ICON 102
MAIN_ICON ICON "small.ico"

@ -9,7 +9,13 @@ int main(const int argc, const char** argv)
return -1;
}
const auto lsass_pid = util::get_process_id(L"lsass.exe");
if (!util::get_pid(L"BEService.exe"))
{
std::perror("[-] please run BattlEye...\n");
return -1;
}
const auto lsass_pid = util::get_pid(L"lsass.exe");
std::printf("[+] lsass_pid => %p\n", lsass_pid);
nozzle::injector inject(argv[1], lsass_pid);

@ -104,7 +104,7 @@ namespace util
data.insert(data.begin(), std::istream_iterator<uint8_t>(fstr), std::istream_iterator<uint8_t>());
}
inline uint32_t get_process_id(const std::wstring_view process_name)
inline uint32_t get_pid(const std::wstring_view process_name)
{
// open a system snapshot of all loaded processes
uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle };
@ -506,7 +506,7 @@ namespace nozzle
void injector::set_target(std::wstring proc_name)
{
target_pid = util::get_process_id(proc_name);
target_pid = util::get_pid(proc_name);
}
void* injector::get_pe_image() const

Binary file not shown.

After

Width:  |  Height:  |  Size: 222 KiB

@ -10,7 +10,7 @@ using ioctl_data = struct { HANDLE drv_handle; void* return_addr; };
namespace bedaisy
{
struct beioctl
struct beioctl_t
{
void* ret_addr;
void* handle;
@ -20,7 +20,7 @@ namespace bedaisy
size_t* bytes_read;
};
inline ioctl_data get_ioctl_data()
__forceinline ioctl_data get_ioctl_data()
{
const auto wpm =
reinterpret_cast<std::uint8_t*>(
@ -47,20 +47,20 @@ namespace bedaisy
return { {}, {} };
}
inline void read(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size)
__forceinline void read(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size)
{
if (!addr || !buffer || !size)
return;
const auto [daisy_handle, return_addr] = get_ioctl_data();
const beioctl ioctl_data
beioctl_t ioctl_data
{
return_addr,
proc_handle,
addr,
buffer,
size,
(size_t*)0xFFFFFFF3423424
nullptr
};
DWORD bytes_read;
@ -72,18 +72,18 @@ namespace bedaisy
sizeof ioctl_data,
nullptr,
NULL,
&bytes_read,
(LPDWORD)&bytes_read,
nullptr
);
}
void write(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size)
__forceinline void write(HANDLE proc_handle, std::uintptr_t addr, void* buffer, std::size_t size)
{
if (!proc_handle || !addr)
return;
const auto [daisy_handle, return_addr] = get_ioctl_data();
const beioctl ioctl_data
beioctl_t ioctl_data
{
return_addr,
proc_handle,
@ -108,7 +108,7 @@ namespace bedaisy
}
template <class T>
inline T read(HANDLE proc_handle, std::uintptr_t addr)
__forceinline T read(HANDLE proc_handle, std::uintptr_t addr)
{
if (!addr || !proc_handle)
return {};
@ -119,7 +119,7 @@ namespace bedaisy
}
template <class T>
inline void write(HANDLE proc_handle, std::uintptr_t addr, const T& data)
__forceinline void write(HANDLE proc_handle, std::uintptr_t addr, const T& data)
{
if (!proc_handle || !addr)
return;

@ -1,29 +1,34 @@
#include "rust.hpp"
#include "utils.hpp"
void example()
void run_example()
{
OutputDebugStringA("[lsass] main thread created!");
const auto proc_handle =
OpenProcess(
PROCESS_QUERY_INFORMATION, FALSE,
utils::get_pid(L"RustClient.exe")
);
OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, utils::get_pid(L"notepad.exe"));
if (proc_handle)
if (proc_handle == INVALID_HANDLE_VALUE)
{
rust::set_fov(proc_handle, 120.f);
OutputDebugStringA("[lsass] set fov!");
OutputDebugStringA("[lsass] failed to open handle to system process...");
return;
}
}
const auto ntdll_base =
reinterpret_cast<std::uintptr_t>(GetModuleHandleA("ntdll.dll"));
if (bedaisy::read<short>(proc_handle, ntdll_base) == IMAGE_DOS_SIGNATURE)
OutputDebugStringA("[lsass] read ntdll MZ from notepad.exe using BEDaisy.sys...\n");
else
OutputDebugStringA("[lsass] failed to read MZ...\n");
}
std::atomic<bool> init = false;
extern "C" NTSTATUS nt_close(void* handle)
extern "C" auto nt_close(void* handle) -> NTSTATUS
{
if (!init.exchange(true))
{
OutputDebugStringA("[lsass] creating thread!");
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&example, NULL, NULL, NULL);
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)&run_example, NULL, NULL, NULL);
}
return NULL;
}

@ -165,7 +165,6 @@
</ItemGroup>
<ItemGroup>
<ClInclude Include="bedaisy.hpp" />
<ClInclude Include="rust.hpp" />
<ClInclude Include="utils.hpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

@ -21,8 +21,5 @@
<ClInclude Include="utils.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="rust.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

@ -1,30 +0,0 @@
#pragma once
#include "utils.hpp"
#define GFX_MANAGER 0x28C6F30
#define CAMERA_MANAGER 0xB8
#define CAMERA_FOV 0x18
namespace rust
{
void set_fov(HANDLE proc_handle, float fov_value)
{
const auto asm_base = utils::get_module_base(proc_handle, L"GameAssembly.dll");
if (!asm_base)
return;
const auto gfx_manager = bedaisy::read<std::uintptr_t>(
proc_handle, asm_base + GFX_MANAGER);
if (!gfx_manager)
return;
const auto camera_manager = bedaisy::read<std::uintptr_t>(
proc_handle, gfx_manager + CAMERA_MANAGER);
if (!camera_manager)
return;
bedaisy::write<float>(proc_handle, camera_manager + CAMERA_FOV, fov_value);
}
}

@ -7,17 +7,17 @@
namespace utils
{
struct nt_peb
typedef struct _nt_peb
{
std::uintptr_t res[2];
std::uintptr_t image_base;
std::uintptr_t ldr;
std::uintptr_t proc_params;
};
} nt_peb;
inline uint32_t get_pid(const std::wstring_view process_name)
__forceinline auto get_pid(const std::wstring_view process_name) -> std::uint32_t
{
const auto handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
const auto handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (handle == INVALID_HANDLE_VALUE)
return !CloseHandle(handle);
@ -34,7 +34,7 @@ namespace utils
return NULL;
}
inline PPEB get_process_peb(const HANDLE process_handle)
__forceinline auto get_process_peb(const HANDLE process_handle) -> nt_peb*
{
PROCESS_BASIC_INFORMATION process_info{};
ULONG bytes_returned;
@ -47,20 +47,18 @@ namespace utils
&bytes_returned
) != ERROR_SUCCESS)
return nullptr;
return process_info.PebBaseAddress;
return reinterpret_cast<utils::nt_peb*>(process_info.PebBaseAddress);
}
// could do a snapshot but i have this code handy atm...
inline std::uintptr_t get_proc_base(const HANDLE proc_handle)
__forceinline auto get_proc_base(const HANDLE proc_handle) -> std::uintptr_t
{
if (!proc_handle) return {};
const auto ppeb = reinterpret_cast<std::uintptr_t>(get_process_peb(proc_handle));
const auto peb = bedaisy::read<nt_peb>(proc_handle, ppeb);
return peb.image_base;
}
// could do a snapshot but i have this code handy atm...
inline std::uintptr_t get_module_base(const HANDLE proc_handle, const wchar_t* module_handle)
__forceinline auto get_module_base(const HANDLE proc_handle, const wchar_t* module_handle) -> std::uintptr_t
{
const auto ppeb = reinterpret_cast<std::uintptr_t>(get_process_peb(proc_handle));
const auto peb = bedaisy::read<nt_peb>(proc_handle, ppeb);

Binary file not shown.

Binary file not shown.

@ -0,0 +1,2 @@
[LocalizedFileNames]
Command Prompt.lnk=@%SystemRoot%\system32\shell32.dll,-22022

@ -0,0 +1,2 @@
start notepad.exe
start badeye.exe inside.dll

Binary file not shown.
Loading…
Cancel
Save