_xeroxz
/
badeye
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
handle elevation using bedaisy. write up can be found here https://back.engineering/21/08/2020/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
1 Tag
16 MiB
 
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6ee29bcafe'
${ noResults }
Go to file
xerox 6ee29bcafe
Update README.md 		4 years ago
badeye added current battleye + badeye project 4 years ago
battleye.8.17.2020 added current battleye + badeye project 4 years ago
README.md Update README.md 4 years ago

README.md

badeye

from ini file to kernel execution, BattlEye full privilege escalation.

ini 2 lsass.exe

BELauncher.ini can specify which process it is going to protect and arguments to be passed to this process. For our use case we will want to protect powershell.exe. This will allow us to JIT compile C# and call native windows functions (OpenProcess, WriteProcessMemory, etc...). All of the C# code/powershell code can be specified in BEArg="".

lsass.exe 2 ring 0

The reason why lsass.exe is a key program/context to be executing in, is because BattlEye inline hooks NtReadVirtualMemory and NtWriteVirtualMemory, this is well documented and has been known for a while now (posted on UC even). BattlEye proxies the calls to these functions to their driver via DeviceIoControl.