handle elevation using bedaisy. write up can be found here https://back.engineering/21/08/2020/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
xerox
6ee29bcafe
|
4 years ago | |
---|---|---|
badeye | 4 years ago | |
battleye.8.17.2020 | 4 years ago | |
README.md | 4 years ago |
README.md
badeye
from ini file to kernel execution, BattlEye full privilege escalation.
ini 2 lsass.exe
BELauncher.ini
can specify which process it is going to protect and arguments to be passed to this process. For our use case we will want to protect powershell.exe
. This will
allow us to JIT compile C# and call native windows functions (OpenProcess, WriteProcessMemory, etc...). All of the C# code/powershell code can be specified in BEArg=""
.
lsass.exe 2 ring 0
The reason why lsass.exe is a key program/context to be executing in, is because BattlEye inline hooks NtReadVirtualMemory
and NtWriteVirtualMemory
, this is well documented and has
been known for a while now (posted on UC even). BattlEye proxies the calls to these functions to their driver via DeviceIoControl
.