# BEDaisy
reverse engineering of bedaisy.sys (battleyes kernel driver). By registering on image load callbacks and IAT hooking BEDaisy's `MmGetSystemRoutineAddress` we can simply hook any imports
we want and have control flow over subsequent functions.
# APCS
The below function will be executed in each thread that bedaisy registers an APC on.
```cpp
__int64 __usercall apc_callback@(char _CL@, char _BH@, __int64 *a3@)
{
__int64 v4; // rbx
__asm { rcl bh, cl }
v4 = *a3;
*(_DWORD *)(v4 + 2160) = RtlWalkFrameChain(*a3 + 0x70, 256i64, 0i64);
return KeSetEvent(v4 + 88, 0i64, 0i64);
}
```
Registeration of APCS:
```cpp
status = PsLookupThreadByThreadId(thread_id, &some_pethread);
v17 = 0;
if ( (int)status >= 0 )
{
allocated_pool = ExAllocatePool(0x200i64, 0x878i64);
allocated_pool_1 = allocated_pool;
allocated_pool_2 = allocated_pool;
if ( allocated_pool )
{
allocated_pool_plus_58 = allocated_pool + 0x58;
KeInitializeEvent((PRKEVENT)(allocated_pool + 0x58), NotificationEvent, 0);
__asm { rcl cx, 0C6h }
LOBYTE(v77) = 0;
KeInitializeApc(allocated_pool_2, some_pethread, 0i64, j_apc_callback, 0i64, 0i64, v77, 0i64);
if ( (unsigned __int8)KeInsertQueueApc(allocated_pool_2, allocated_pool_2, 0i64, 2i64) )
```
# HWID
BEDaisy opens a handle to DR0 (disk.sys).
```
02646022 190.98799133 [GoodEye]ZwOpenFile called from: 0xFFFFF804DEFDB904
02646023 190.98799133 [GoodEye] - ZwOpenFile(\Device\Harddisk0\DR0)
02646024 190.98869324 [GoodEye] - ZwOpenFile handle result: 0xFFFFFFFF80003E28
```
BEDaisy then sends a few IOCTL's to disk.sys using `ZwDeviceIoControlFile`
```
02646049 190.99142456 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB94A
02646050 190.99143982 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
02646051 190.99143982 [GoodEye] - IoControlCode: 0x00000000002D1400
02646052 190.99143982 [GoodEye] - OutputBufferLength: 0x0000000000000008
02646053 190.99143982 [GoodEye] - InoutBufferLength: 0x000000000000000C
02646059 190.99192810 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB960
02646060 190.99192810 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
02646061 190.99192810 [GoodEye] - IoControlCode: 0x00000000002D1400
02646062 190.99192810 [GoodEye] - OutputBufferLength: 0x0000000000000000
02646063 190.99194336 [GoodEye] - InoutBufferLength: 0x000000000000000C
02646072 190.99209595 [GoodEye]ZwDeviceIoControlFile Called From 0xFFFFF804DEFDB9B1
02646073 190.99211121 [GoodEye] - FileHandle: 0xFFFFFFFF80003E28
02646074 190.99211121 [GoodEye] - IoControlCode: 0x000000000007C088
02646075 190.99211121 [GoodEye] - OutputBufferLength: 0x0000000000000211
02646076 190.99211121 [GoodEye] - InoutBufferLength: 0x0000000000000021
```
# IRP
BEDaisy checks the IRP's of every single loaded driver. Below is the checks done on dxgkrnl.sys on windows 10-2004.
```
00042942 92.55983734 [GoodEye]gh_wcsnicmp called from: 0xFFFFF804DEFDD874
00042943 92.55983734 [GoodEye] - string1: C:\Windows\System32\drivers\dxgkrnl.sys
00042944 92.55983734 [GoodEye] - string2: C:\Windows\System32\drivers\dxgkrnl.sys
00042945 92.55983734 [GoodEye] - count: 0x27
00042946 92.55996704 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFDD8B6
00042947 92.55996704 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F10000
00042948 92.56076813 [GoodEye]ExFreePoolWithTag called from: 0xFFFFF804DEFDD8D7
00042949 92.56076813 [GoodEye] - Freeing pool at: 0xFFFFC8081516C850
00042950 92.56076813 [GoodEye] - Pool Tag: 0x0
00042951 92.56208801 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042952 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049905E400
00042953 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042954 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042955 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042956 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049905E400
00042957 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042958 92.56209564 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042959 92.56209564 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042960 92.56210327 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042961 92.56210327 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042962 92.56210327 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042963 92.56210327 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042964 92.56210327 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042965 92.56211090 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042966 92.56211090 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042967 92.56211090 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042968 92.56211090 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042969 92.56211853 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042970 92.56211853 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042971 92.56211853 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042972 92.56211853 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042973 92.56211853 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042974 92.56212616 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042975 92.56212616 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042976 92.56212616 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042977 92.56212616 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042978 92.56212616 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042979 92.56213379 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042980 92.56213379 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80498F516A0
00042981 92.56213379 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042982 92.56213379 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF80499059670
00042983 92.56214142 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042984 92.56214142 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8049916C4D0
00042985 92.56214142 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042986 92.56214142 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042987 92.56214142 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042988 92.56214905 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042989 92.56214905 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042990 92.56214905 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042991 92.56214905 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042992 92.56214905 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042993 92.56215668 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042994 92.56215668 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042995 92.56215668 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042996 92.56215668 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042997 92.56215668 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00042998 92.56216431 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00042999 92.56216431 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00043000 92.56216431 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00043001 92.56216431 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00043002 92.56216431 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00043003 92.56217194 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00043004 92.56217194 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
00043005 92.56217194 [GoodEye]MmIsAddressValid Called From: 0xFFFFF804DEFE1116
00043006 92.56217194 [GoodEye] - NonPaged VirtualAddress: 0xFFFFF8047EF364C0
```