handle elevation using bedaisy. write up can be found here https://back.engineering/21/08/2020/
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
xerox
c08ab9e59d
|
4 years ago | |
---|---|---|
badeye | 4 years ago | |
battleye.8.17.2020 | 4 years ago | |
README.md | 4 years ago |
README.md
badeye
Its well known that battleye proxies calls to NtReadVirtualMemory/NtWriteVirtualMemory
to their driver via DeviceIoControl in both lsass.exe
and csrss.exe
. Although csrss.exe
is not something you can inject from usermode, lsass.exe is (although it can be protected, depends on your system/hvci).
The reason this proxy of a syscall is a vulnerability is simply because their is no validation of R/W access on the specified handle passed to BEDaisy
. In other words: you can
open a handle with PROCESS_QUERY_LIMITED_INFORMATION
and use that handle to read/write any usermode memory that is also read/writeable. The handle access is not important to bedaisy
rather they use the handle to get the EPROCESS of the process that the handle is opened on.