From 83da9883acb675c5619e4810c67be859178f2d95 Mon Sep 17 00:00:00 2001 From: xerox Date: Mon, 17 Aug 2020 22:40:57 +0000 Subject: [PATCH] Update README.md --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 15fb9d0..00a7688 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,10 @@ BattlEye proxies NtReadVirtualMemory and NtWriteVirtualMemory in lsass.exe/csrss +you cannot use this to read/write the process that battleye is protecting but you can use +this to read/write any other process you can open a simple handle too. `Rust`, `Valorant`, you name it, just open a `PROCESS_QUERY_LIMITED_INFORMATION` handle and pass it to `BEDaisy`. The reason +this works is two fold, firstly BattlEye assumes that the handle already has this access, secondly BattlEye only uses the handle to get the `EPROCESS` so they can call `MmCopyVirtualMemory`. You can see +this in my runtime logs of `BEDaisy`. # lsass.exe/csrss.exe @@ -44,11 +48,5 @@ the handle to the driver we can start sending IOCTL's to BattlEye. The IOCTL dat -# limitations - -Now that we can ask BEDaisy to read/write for us, what are the limitations? Well first off you cannot use this to read/write the process that battleye is protecting but you can use -this to read/write any other process you can open a simple handle too. `Rust`, `Valorant`, you name it, just open a `PROCESS_QUERY_LIMITED_INFORMATION` handle and pass it to `BEDaisy`. The reason -this works is two fold, firstly BattlEye assumes that the handle already has this access, secondly BattlEye only uses the handle to get the `EPROCESS` so they can call `MmCopyVirtualMemory`. You can see -this in my runtime logs of `BEDaisy`.