You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
791 B
791 B
badeye
from ini file to kernel execution, BattlEye full privilege escalation.
ini 2 lsass.exe
BELauncher.ini can specify which process it is going to protect and arguments to be passed to this process. For our use case we will want to protect powershell.exe. This will
allow us to JIT compile C# and call native windows functions (OpenProcess, WriteProcessMemory, etc...). All of the C# code/powershell code can be specified in BEArg="".
lsass.exe 2 ring 0
The reason why lsass.exe is a key program/context to be executing in, is because BattlEye inline hooks NtReadVirtualMemory and NtWriteVirtualMemory, this is well documented and has
been known for a while now (posted on UC even). BattlEye proxies the calls to these functions to their driver via DeviceIoControl.