_xeroxz
/
badeye
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
handle elevation using bedaisy. write up can be found here https://back.engineering/21/08/2020/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
1 Tag
16 MiB
 
 
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c08ab9e59d'
${ noResults }
Go to file
xerox c08ab9e59d
added system proc read demo 		4 years ago
badeye added system proc read demo 4 years ago
battleye.8.17.2020 added current battleye + badeye project 4 years ago
README.md Update README.md 4 years ago

README.md

badeye

Its well known that battleye proxies calls to NtReadVirtualMemory/NtWriteVirtualMemory to their driver via DeviceIoControl in both lsass.exe and csrss.exe. Although csrss.exe is not something you can inject from usermode, lsass.exe is (although it can be protected, depends on your system/hvci).

The reason this proxy of a syscall is a vulnerability is simply because their is no validation of R/W access on the specified handle passed to BEDaisy. In other words: you can open a handle with PROCESS_QUERY_LIMITED_INFORMATION and use that handle to read/write any usermode memory that is also read/writeable. The handle access is not important to bedaisy rather they use the handle to get the EPROCESS of the process that the handle is opened on.