Guide Anticheat Battleye Bypass Overview

Hexui Undetected CSGO Cheats PUBG Accounts

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
Game Name
N/A
Anticheat
Battleye
How long you been coding/hacking?
7 years
Coding Language
C++
BE is the second most popular mature, kernel mode anticheat. Battleye does many of the same things as EAC but it is less popular and easier to bypass. Despite being easier, you still need to know what you're doing if you want to start hacking a BE protected game. This article will tell you everything you need to get started with a Battleye bypass.

We have two guides which should be viewed before reading this BE specific guide:
Guide - How to Bypass Anticheat - Start Here Beginner's Guide
Guide - How to Bypass Kernel Anticheat & Develop Drivers

This article contains information compiled from many sources, full credits to these gentlemen: @iPower, @_xeroxz, vmcall & everyone at secret.club


(img courtesy of BattlEye – The Anti-Cheese Gold Standard)

Games utilizing Battleye
  • Fortnite
  • PUBG
  • Escape from Tarkov
  • Rainbow Six Siege
  • Ark Survival Evolved
  • ARMA II
  • ARMA III
  • DAYZ
  • H1Z1
  • Surivial Of the Fittest
  • PlanetSide 2
  • Survarium
  • Project Argo
  • Unturned
  • Insurgency
  • Day of Infamy
  • The Isle
  • Line of Sight
  • Conan Exiles
  • Tibia
  • Black Squad
  • S4League
  • Zula
  • Islands of Nyne
  • BlackLight Retribution
  • SOS
  • Pixark
  • Heroes & Generals
  • Bless Online
  • and more

Battleye Anticheat Versions

It's important to understand that the version of BE is not the same on every game, on an older game it will be easier to bypass. Newer more popular games will have the latest version. Battleye has been around since 2004 and has been actively developed throughout it's history. Tutorials and information from 5 years ago will not work on the newest versions, but still worth reading. Battleye was first developed as a third party anticheat for Battlefield Vietnam and Battlefield 1942 but became more popular and robust with it's integration with ARMA 3 and DayZ.

Battleye Anticheat is a Kernel Mode Anticheat

A processor in a Windows computer has two different modes: kernel mode and user mode. The Usermode & Kernelmode construct is built into the CPU. The low level core functionality of the operating system is done in kernel mode, which is a privileged part of memory that is not accessible from user mode and executes with privileged status on the CPU. Drivers are not just limited to Hardware Drivers, you can make a .sys driver to do anything you want in kernel mode, including bypass anticheat and perform cheat functionality. Usermode and kernel are separated, nothing you do in usermode will bypass the kernel driver.

Because BE is a kernel mode anticheat you will also need to be in kernel to make a Battleye bypass.. You can use a VM or hypervisor to dump the Battleye module and reverse engineer it, keep in mind BE does have some emulation detection.

Read the main Kernel Guide to learn everything you need to do know before you start working on Battleye.

But Rake, I don't want to learn, I just want to paste a Battleye bypass!

Ok before we go to far I will give you a simple 6 step process that is the easiest way to paste your way into kernel:
  1. Video Tutorial - How to Make a Windows Kernel Mode Driver Tutorial
  2. Video Tutorial - Kernel 2 - Usermode Communication - IOCTL Tutorial
  3. Video Tutorial - How to Write Memory from Kernel - MmCopyVirtualMemory Tutorial
  4. Experiment with this source code Source Code - CSGO Kernel Driver Multihack
  5. Use kdmapper which uses a vulnerable Intel driver to manually map your kernel driver (make sure anticheat is not loaded yet)
  6. Start the game and use your usermode application to write to the game memory
With those 6 steps, you can start reading and writing to a BE protected process. Battleye and other strong kernel anticheats can detect this easily, so keep reading to learn how to stay undetected. You haven't bypassed the actual Battleye detections with this, you're just giving yourself the ability to read and write, which you should use to dump the Battleye modules. Using this method by itself will get you banned, keep reading.

Manually Mapped Driver Detection
To avoid your manually mapped driver getting detected you need to clear PiDDBCacheTable & MmUnloadedDrivers, and stop the enumeration of your own system pools & threads.
  • PiDDBCacheTable & MmUnloadedDrivers
  • system pool detection
  • system thread detection
@iPower said they search for system threads which do not belong to any regular kernel module, easily detecting manually mapped drivers. You can find it in his logs by searching for PsLookupThreadByThreadId & RtlWalkFrameChain.

Battleye Anti Cheat Components
  • BEService - Windows service that communicates with BEServer, which provides BEDaisy and BEClient communication capabilities
  • BEDaisy - kernel driver that registers callbacks and minifilters to prevent cheaters from modifying the game
  • BEClient - usermode DLL that is responsible for most of the detection vectors, it is mapped into the game process after initialization
  • BEServer - backend-server that is responsible for collecting information and taking concrete actions against cheaters

Battleye Anticheat Features
  • Debugger detection
  • Signature based detection of known cheats
  • Open game process handles
  • Detection of manually mapped modules, i.e. executable pages not backed by a image on disk
  • Process handle creation is blocked
  • Overlays detection
  • Steam Overlay hooks and hacks embedded in steam process's
  • lsass.exe modifications
  • game files integrity checks
  • TCP connections to cheat sites
  • module name and timestamp blacklist
  • certificate blacklist
  • driver blacklist
  • stack walking / ret check
  • single stepping to detect code outside of usermode memory range
  • hypervisor detection

Battleye is actively scanning and uploading a lot of information to their servers while you play:
  • all running processes
  • all device drivers
  • all window names
  • options to upload more if anomalies are detected

How does Battleye protect itself?
  • virtualization
  • streams shellcode into memory
  • integrity checks on it's modules & shellcode
  • encrypted traffic with BE server
  • encrypted named pipe communication
  • it does extra logging on computers with lots of reversing tools

secret.club Battleye articles

secret.club has some of the best content regarding Battleye so you will definitely want to look at these

_xeroxz's Articles and Repos

@_xeroxz has done bunch of work on Battleye, on par with some of the secret.club articles, be sure to check them out too
Some important excerpts from his articles

BEDaisy Inline Hooks

BEDaisy places inline hooks on both NtWriteVirtualMemory and NtReadVirtualMemory inside of lsass.exe and csrss.exe. The reason for these hooks are because csrss.exe and lsass.exe need handles with PROCESS_VM_OPERATION in order to function properly. The handles that csrss.exe and lsass.exe would have to BEDaisy’s protected processes are stripped of PROCESS_VM_OPERATION via BEDaisy’s enumeration of the protected processes handle table by calling ExEnumHandleTable. In order to allow for csrss.exe and lsass.exe to read/write to the games memory BEDaisy proxies their read/write calls.

BEDaisy Imports
If you take a look at BEDaisy.sys’s import address table you can see this nice little import by the name of MmGetSystemRoutineAddress, This function is used to dynamically resolve imports at runtime. List of BEDaisy imports: battleyes imports ($24) · Snippets

LOADED KERNEL MODULE ENUMERATION
BEDaisy enumerates all loaded modules by calling NtQuerySystemInformation with SystemModuleInformation. If a black listed driver is found, the game will not run, drivers like the notorious intel lan driver, capcom, and gdrv are all blocked by BEDaisy.

RUNNING PROCESSES ENUMERATION
BEDaisy also constantly enumorates running processes using NtQuerySystemInformation except with SystemProcessInformation, this can also be easily hooked to filter out specific executables from BEDaisy’s queries.

ASYNCHRONOUS PROCEDURE CALL (APC)
BEDaisy registers APCs on all user mode threads in every process, the APC code that is executed simply calls RtlWalkFrameChain which inturn provides BEDaisy with all of the stack frames on the thread

== end of _xeroxz's content ==

ObRegisterCallbacks

Battleye blocks usermode access to a process by conventional means via ObRegisterCallbacks, essentially when you call OpenProcess() it will not let you get a handle to the game process so you can't read or write memory or attach a debugger. This was one of the first things implemented in Battleye. In order to circumvent that you need to hook their driver, collide with their callbacks, or simply remove their callbacks, read Douggem's article.

You can see it being called in @iPower 's log
Code:
[ LuluVisor ] TM -> KM Transition! Function called: ObRegisterCallbacks
[ LuluVisor ] Function called at: BEDaisy.sys+0028919c
In the past this was all that was needed to attach Cheat Engine to the game, but Battleye has been updated many times since this was implemented & it's protection has been improved over many years, just fixing ObRegisterCallbacks is no longer enough to bypass.

Bypass Process & Thread Callbacks

Here is a driver source code to disable the process and thread callbacks from anher0:
C++:
#include <ntifs.h>
#include <windef.h>

// Pre-Processor definitions for our I/O control codes.
#define REMOVE_BEOBJECT_CALLBACKS_IOCTL CTL_CODE(FILE_DEVICE_KS, 0x806, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define RESTORE_BEOBJECT_CALLBACKS_IOCTL CTL_CODE(FILE_DEVICE_KS, 0x807, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)

// Global variable to our device.
PDEVICE_OBJECT deviceObj = NULL;

// QWORD
typedef unsigned __int64 QWORD;

// OLD_CALLBACKS
typedef struct _OLD_CALLBACKS {
    QWORD PreOperationProc;
    QWORD PostOperationProc;
    QWORD PreOperationThread;
    QWORD PostOperationThread;
} OLD_CALLBACKS, *POLD_CALLBACKS;

// CALLBACK_ENTRY
typedef struct _CALLBACK_ENTRY {
    WORD Version; // 0x0
    WORD OperationRegistrationCount; // 0x2
    DWORD unk1; // 0x4
    PVOID RegistrationContext; // 0x8
    UNICODE_STRING Altitude; // 0x10
} CALLBACK_ENTRY, *PCALLBACK_ENTRY; // header size: 0x20 (0x6C if you count the array afterwards - this is only the header. The array of CALLBACK_ENTRY_ITEMs is useless.)

// CALLBACK_ENTRY_ITEM
typedef struct _CALLBACK_ENTRY_ITEM {
    LIST_ENTRY CallbackList; // 0x0
    OB_OPERATION Operations; // 0x10
    DWORD Active; // 0x14
    CALLBACK_ENTRY *CallbackEntry; // 0x18
    PVOID ObjectType; // 0x20
    POB_PRE_OPERATION_CALLBACK PreOperation; // 0x28
    POB_POST_OPERATION_CALLBACK PostOperation; // 0x30
    QWORD unk1; // 0x38
} CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM; // size: 0x40

// Dummy object callback functions.
OB_PREOP_CALLBACK_STATUS DummyObjectPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) {
    return(OB_PREOP_SUCCESS);
}
VOID DummyObjectPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation) {
    return;
}

QWORD GetCallbackListOffset(void) {
    POBJECT_TYPE procType = *PsProcessType;

    __try {
        if (procType && MmIsAddressValid((void*)procType)) {
            for (int i = 0xF8; i > 0; i -= 8) {
                QWORD first = *(QWORD*)((QWORD)procType + i), second = *(QWORD*)((QWORD)procType + (i + 8));
                if (first && MmIsAddressValid((void*)first) && second && MmIsAddressValid((void*)second)) {
                    QWORD test1First = *(QWORD*)(first + 0x0), test1Second = *(QWORD*)(first + 0x8);
                    if (test1First && MmIsAddressValid((void*)test1First) && test1Second && MmIsAddressValid((void*)test1Second)) {
                        QWORD testObjectType = *(QWORD*)(first + 0x20);
                        if (testObjectType == (QWORD)procType)
                            return((QWORD)i);
                    }
                }
            }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        return(0);
    }
}

void DisableBEObjectCallbacks(POLD_CALLBACKS oldCallbacks) {
    POBJECT_TYPE procType = *PsProcessType;
    if (procType && MmIsAddressValid((void*)procType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, disable the callback.
                                if (curCallback->PreOperation) {
                                    oldCallbacks->PreOperationProc = (QWORD)curCallback->PreOperation;
                                    curCallback->PreOperation = DummyObjectPreCallback;
                                }
                                if (curCallback->PostOperation) {
                                    oldCallbacks->PostOperationProc = (QWORD)curCallback->PostOperation;
                                    curCallback->PostOperation = DummyObjectPostCallback;
                                }
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }

    POBJECT_TYPE threadType = *PsThreadType;
    if (threadType && MmIsAddressValid((void*)threadType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, disable the callback.
                                if (curCallback->PreOperation) {
                                    oldCallbacks->PreOperationThread = (QWORD)curCallback->PreOperation;
                                    curCallback->PreOperation = DummyObjectPreCallback;
                                }
                                if (curCallback->PostOperation) {
                                    oldCallbacks->PostOperationThread = (QWORD)curCallback->PostOperation;
                                    curCallback->PostOperation = DummyObjectPostCallback;
                                }
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }
}

void RestoreBEObjectCallbacks(POLD_CALLBACKS oldCallbacks) {
    POBJECT_TYPE procType = *PsProcessType;
    if (procType && MmIsAddressValid((void*)procType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, restore the callback.
                                if (curCallback->PreOperation && oldCallbacks->PreOperationProc)
                                    curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationProc;
                                if (curCallback->PostOperation && oldCallbacks->PostOperationProc)
                                    curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationProc;
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }

    POBJECT_TYPE threadType = *PsThreadType;
    if (threadType && MmIsAddressValid((void*)threadType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, disable the callback.
                                if (curCallback->PreOperation && oldCallbacks->PreOperationThread)
                                    curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationThread;
                                if (curCallback->PostOperation && oldCallbacks->PostOperationThread)
                                    curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationThread;
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }
}

NTSTATUS ioRecieved(PDEVICE_OBJECT pDeviceObject, PIRP IRP) {
    PIO_STACK_LOCATION pIoStackLocation = IoGetCurrentIrpStackLocation(IRP);
    size_t size = 0;

    // Handle the I/O request if we need to.
    if (pIoStackLocation->Parameters.DeviceIoControl.IoControlCode == REMOVE_BEOBJECT_CALLBACKS_IOCTL){
        OLD_CALLBACKS oldCallbacks = { 0 };
        DisableBEObjectCallbacks(&oldCallbacks);
        memcpy(IRP->AssociatedIrp.SystemBuffer, &oldCallbacks, sizeof(OLD_CALLBACKS));
        size = sizeof(OLD_CALLBACKS);
    }
    if (pIoStackLocation->Parameters.DeviceIoControl.IoControlCode == RESTORE_BEOBJECT_CALLBACKS_IOCTL) {
        RestoreBEObjectCallbacks((POLD_CALLBACKS)IRP->AssociatedIrp.SystemBuffer);
        size = 0;
    }

    // Finish off.
    IRP->IoStatus.Status = STATUS_SUCCESS;
    IRP->IoStatus.Information = size;
    IofCompleteRequest(IRP, IO_NO_INCREMENT);
    return(STATUS_SUCCESS);
}

NTSTATUS CatchCreate(PDRIVER_OBJECT pDriverObject) {
    return(STATUS_SUCCESS);
}

NTSTATUS CatchClose(PDRIVER_OBJECT pDriverObject) {
    return(STATUS_SUCCESS);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {
    // Create the device and get everything set up.
    UNICODE_STRING deviceNameUnicodeString = { 0 }, deviceSymLinkUnicodeString = { 0 };
    RtlInitUnicodeString(&deviceNameUnicodeString, L"\\Device\\mmarkdrv");
    RtlInitUnicodeString(&deviceSymLinkUnicodeString, L"\\DosDevices\\mmarkdrv");
    IoCreateDevice(pDriverObject, 0, &deviceNameUnicodeString, FILE_DEVICE_KS, FILE_DEVICE_SECURE_OPEN, 0, &deviceObj);
    IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);

    // Get all the major functions set up.
    pDriverObject->MajorFunction[IRP_MJ_CREATE] = CatchCreate;
    pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CatchClose;
    pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioRecieved;

    return(STATUS_SUCCESS);
}

LuluVisor BEDaisy Logs
Here is an example of some of iPower's logs from his hypervisor, which show you what BE is doing in Fortnite:
Code:
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af705
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af747
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af75d
[ LuluVisor ]     ExFreePool    -    BEDaisy.sys+002af768
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af773
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af829
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af83f
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af84a
[ LuluVisor ]     ZwQueryDirectoryObject    -    BEDaisy.sys+002af86b
[ LuluVisor ]     RtlCompareUnicodeString    -    BEDaisy.sys+002af5af
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     RtlInitUnicodeString    -    BEDaisy.sys+002af5d0
[ LuluVisor ]     ObOpenObjectByName    -    BEDaisy.sys+002af5f7
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af602
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af60d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af618
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af62e
[ LuluVisor ]     ZwOpenFile    -    BEDaisy.sys+002af655
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af660
[ LuluVisor ]     IoQueryFileDosDeviceName    -    BEDaisy.sys+002af66b
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af676
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af681
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af6ef
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af705
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af747
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af75d
[ LuluVisor ]     ExFreePool    -    BEDaisy.sys+002af768
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af773
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af829
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af83f
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af84a
[ LuluVisor ]     ZwQueryDirectoryObject    -    BEDaisy.sys+002af86b
[ LuluVisor ]     RtlCompareUnicodeString    -    BEDaisy.sys+002af5af
[ LuluVisor ]     ZwQueryDirectoryObject    -    BEDaisy.sys+002af86b
[ LuluVisor ]     RtlCompareUnicodeString    -    BEDaisy.sys+002af5af
[ LuluVisor ]     RtlInitUnicodeString    -    BEDaisy.sys+002af5d0
[ LuluVisor ]     ObOpenObjectByName    -    BEDaisy.sys+002af5f7
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af602
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af60d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af618
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af62e
[ LuluVisor ]     ZwOpenFile    -    BEDaisy.sys+002af655
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af660
[ LuluVisor ]     IoQueryFileDosDeviceName    -    BEDaisy.sys+002af66b
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af676
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af681
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af6ef
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af705
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af747
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af75d
[ LuluVisor ]     ExFreePool    -    BEDaisy.sys+002af768
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af773
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af829

Temporary Battleye Bypass for improperly implemented anticheat
It's happened a few times on a couple games where you can just unload the Battleye driver and the game doesn't stop running, it's easy to do, but unlikely it will work on most new games. @gulerardaeren posted this a while back, it has worked previously on Zula, Crossfire, Apex Legends and others as well
  1. Open The Game
  2. Open Process Hacker And Find BEService.exe
  3. Right Click To BEService.exe and click suspend(this will require administator permission)
  4. Open The Process Hunter and go to the Kernel Module
  5. Find BEDaisy.sys , right click and click unload driver
  6. If they didn't patched this method, You can even use cheat engine

Dumped Modules
The first thing you need to do to reverse engineer Battleeye is to dump the system driver and usermode modules from memory, you will find a couple pre-made dumps below. Once you have the dumps you can load them into IDA Pro and start looking around.

GH Battleye Bypass Resources

External Resources
The most important thing you can do to learn about BattleEye is to watch this video made by the DayZ developers about how Battleeye helps them stop cheaters. This is also an excellent video for anyone wanting to learn about anticheat.


Checkout Douggem's site for good info and his video:

Credits: @iPower, @_xeroxz, douggem, vmcall & everyone at secret.club

Attachments

I have attached a bunch of files from github and other places in case they get deleted, many of these are copies of the files in the links above
 

Attachments

You can download 0 Attachments
Last edited:

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
BattlEye client emulation - Bottleye

The popular anti-cheat BattlEye is widely used by modern online games such as Escape from Tarkov and is considered an industry standard anti-cheat by many. In this article I will demonstrate a method I have been utilizing for the past year, which enables you to play any BattlEye-protected game online without even having to install BattlEye.

BattlEye initialisation
BattlEye is dynamically loaded by the respective game on startup to initialize the software service (“BEService”) and kernel driver (“BEDaisy”). These two components are critical in ensuring the integrity of the game, but the most critical component by far is the usermode library (“BEClient”) that the game interacts with directly. This module exports two functions: GetVer and more importantly Init.

The Init routine is what the game will call, but this functionality has never been documented before, as people mostly focus on BEDaisy or their shellcode. Most important routines in BEClient, including Init, are protected and virtualised by VMProtect, which we are able to devirtualise and reverse engineer thanks to vtil by secret club member Can Boluk, but the inner workings of BEClient is a topic for a later part of this series, so here is a quick summary.

Init and its arguments have the following definitions:
C++:
// BEClient_x64!Init
__declspec(dllexport)
battleye::instance_status Init(std::uint64_t integration_version,
                               battleye::becl_game_data* game_data,
                               battleye::becl_be_data* client_data);

enum instance_status
{
    NONE,
    NOT_INITIALIZED,
    SUCCESSFULLY_INITIALIZED,
    DESTROYING,
    DESTROYED
};

struct becl_game_data
{
    char*         game_version;
    std::uint32_t address;
    std::uint16_t port;

    // FUNCTIONS
    using print_message_t = void(*)(char* message);
    print_message_t print_message;

    using request_restart_t = void(*)(std::uint32_t reason);
    request_restart_t request_restart;

    using send_packet_t = void(*)(void* packet, std::uint32_t length);
    send_packet_t send_packet;

    using disconnect_peer_t = void(*)(std::uint8_t* guid, std::uint32_t guid_length, char* reason);
    disconnect_peer_t disconnect_peer;
};

struct becl_be_data
{
    using exit_t = bool(*)();
    exit_t exit;

    using run_t = void(*)();
    run_t run;

    using command_t = void(*)(char* command);
    command_t command;

    using received_packet_t = void(*)(std::uint8_t* received_packet, std::uint32_t length);
    received_packet_t received_packet;

    using on_receive_auth_ticket_t = void(*)(std::uint8_t* ticket, std::uint32_t length);
    on_receive_auth_ticket_t on_receive_auth_ticket;

    using add_peer_t = void(*)(std::uint8_t* guid, std::uint32_t guid_length);
    add_peer_t add_peer;

    using remove_peer_t = void(*)(std::uint8_t* guid, std::uint32_t guid_length);
    remove_peer_t remove_peer;
};
As seen, these are quite simple containers for interopability between the game and BEClient. becl_game_data is defined by the game and contains functions that BEClient needs to call (for example, send_packet) while becl_be_data is defined by BEClient and contains callbacks used by the game after initialisation (for example, received_packet). Note that these two structures slightly differ in some games that have special functionality, such as the recently introduced packet encryption in Escape from Tarkov that we’ve already cracked. Older versions of BattlEye (DayZ, Arma, etc.) use a completely different approach with function pointer swap hooks to intercept traffic communication, and therefore these structures don’t apply.


this article is written by vmcall, continue reading @ secret.club...

thesecretclub/BottlEye
 
Last edited:

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
Bypassing BattlEye from user-mode

Today we’ll talk about how BattlEye does integrity checks for loaded images, as well as implementing a work-around for these checks.

Image integrity checks
BattlEye does checks on images that get loaded by opening a handle to the file on disk with CreateFile, after this handle’s open, it retrieves certificate details for the file, and checks if it’s one of the blacklisted certificates. If it is, the file gets blocked from loading and BattlEye notifies you that a blacklisted file was attempting load.

Continue reading @ secret.club - Bypassing BattlEye from user-mode

BattlEye reverse engineer tracking

Preface

Modern commercial anti-cheats are faced by an increasing competetiveness in professional game-hack production, and thus have begun implementing questionable methods to prevent this. In this article, we will present a previously unknown anti-cheat module, pushed to a small fraction of the player base by the commercial anti-cheat BattlEye. The prevalent theory is that this module is specifically targeted against reverse engineers, to monitor the production of video game hacking tools, due to the fact that this is dynamically pushed.

Shellcode ??
The code snippets in this article are beautified decompilations of shellcode that we’ve dumped and deobfuscated from BattlEye...

Continue reading @ BattlEye reverse engineer tracking - secret.club

BattlEye anticheat: analysis and mitigation

BattlEye is a prevalent german third-party anti-cheat primarily developed by the 32-year-old founder Bastian Heiko Suter. It provides game publishers easy-to-use anti-cheat solutions, using generic protection mechanisms and game-specific detections to provide optimal security, or at least tries to. As their website states, they are always staying on top of state-of-the-art technologies and utilizing innovative methods of protection and detection, evidently due to their nationality: QUALITY MADE IN GERMANY. BattlEye consists of multiple organs that work together to catch and prevent cheaters in the respective games that pay them. The four main entities are:

  • BEService - Windows system service that communicates with the BattlEye server BEServer, which provides BEDaisy and BEClient server-client-communication capabilities.
  • BEDaisy - Windows kernel driver that registers preventive callbacks and minifilters to prevent cheaters from modifying the game illicitly.
  • BEClient - Windows dynamic link library that is responsible for most of the detection vectors, including the ones in this article. It is mapped into the game process after initialization.
  • BEServer - Proprietary backend-server that is responsible for collecting information and taking concrete actions against cheaters.
Shellcode
Recently, a dump of BattlEye’s shellcode surfaced on the internet, and we decided to make a write-up of what exactly the current iteration of BattlEye is actively looking for. We have not worked on BattlEye for the past 6 months, so the last piece of shellcode we have dumped is most likely obsolete. Miscellaneous parts of code were recognized completely from memory in this recent dump, suggesting that BattlEye only appends to the shellcode and does not remove previous detection procedures.

continue reading at secret.club...
 
Last edited:
  • Like
Reactions: namadin

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
BattlEye shellcode updates

Anticheats change as time goes on, features come and go to maximize the efficiency of the product. I did a complete write-up of BattlEye’s shellcode a year ago on my blog, and this article will merely reflect the changes that have been made to said shellcode.

Blacklisted Timestamps
Last time I analyzed BattlEye, there were only two compile-time datestamps in the shadowban ban list, and it seems like they’ve decided to add a lot more:

  • 0x5B12C900 (action_x64.dll)
  • 0x5A180C35 (TerSafe.dll, Epic Games)
  • 0xFC9B9325 (?)
  • 0x456CED13 (d3dx9_32.dll)
  • 0x46495AD9 (d3dx9_34.dll)
  • 0x47CDEE2B (d3dx9_32.dll)
  • 0x469FF22E (d3dx9_35.dll)
  • 0x48EC3AD7 (D3DCompiler_40.dll)
  • 0x5A8E6020 (?)
  • 0x55C85371 (d3dx9_32.dll)
  • 0x456CED13 (?)
  • 0x46495AD9 (D3DCompiler_40.dll)
  • 0x47CDEE2B (D3DX9_37.dll)
  • 0x469FF22E (?)
  • 0x48EC3AD7 (?)
  • 0xFC9B9325 (?)
  • 0x5A8E6020 (?)
  • 0x55C85371 (?)

I’ve failed to identify the rest of the timestamps, and the two 0xF******* are hashes produced by visual studio reproducible builds. If anyone can identify the timestamps, please hit me up on twitter 🙂

Thanks to @mottikraus and T0B1 for identifying some of the timestamps.

continue reading @ secret.club...

Battleye Stack Walking

With game-hacking being a continuous cat and mouse game, rumours about new techniques spread like fire. As such in this blog post we will take a look into one of the new heuristic techniques that BattlEye, a large anti-cheat provider, has recently added to its arsenal. Most widely known as stack walking This is usually done by hooking a function and traversing the stack to find out who exactly is calling said function. Why would one do this? Just like any other program, video game hacks have a set of well known functions that they utilize to get keyboard information, print to the console or calculate certain mathematical expressions. Video game hacks also like to attempt to hide their existence, be it in memory or on disk, so that the anti-cheat software does not find it. What these cheat programs forget is that they regularly call functions in other libraries, and this can be exploited to heuristically detect unknown cheats. By implementing a stack walking engine on prevalent functions like std::print, you will be able to find these cheats even if they disguise themselves.

BattlEye has implemented “stack walking”, even though this has not been publicly proved and prior to this article was just rumors. Note the quotes around stack walking, because what you will see here is not true stack walking, this is merely a return address check and a caller dump combined. A true stack walker would traverse the stack and generate a proper callstack.

continue reading @ secret.club...
 
Last edited:
  • Like
Reactions: namadin

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
Battleye Hypervisor Detection

The cat and mouse game of game-hacking continues to fuel the innovation of exploitation and mitigation. The usage of virtualization technology in game-hacking has exploded ever since copy-pastable hypervisors such as Satoshi Tanda’s DdiMon and Petr Beneš’ hvpp hit the scene. These two projects are being used by most of the paid cheats in the underground hacking scene, due to their low barrier of entry and extensive documentation. These releases have with high certainty sped up the hypervisor arms race that is now beginning to show its face in the gamehacking community. Here’s what the administrator at one of the worlds largest game-hacking communities, wlan, says about the situation:

With the advent of ready-made hypervisor solutions for game hacking it’s become unavoidable for anti-cheats such as BattlEye to focus on generic virtualization detections

The reason hypervisors are so wide-spread now is because of recent developments in kernel anti-cheats leaving very little room for hackers to modify games through traditional means. The popularity of hypervisors could be explained by the simplicity of evasion, since virtualization enables you to more easily hide information from the anti-cheat, through mechanisms such as syscall hooks and MMU virtualization.

BattlEye has recently implemented a detection of generic hypervisors such as the previously mentioned platforms (DdiMon, hvpp) using time-based detection. This detection aims to spot abnormal time values in the instruction CPUID. CPUID is a relatively cheap instruction on real hardware, and will generally only require two hundred cycles, where as in a virtualized environment it may take up to ten times as long due to the overhead incurred by an introspective engine. An introspective engine is not like any real hardware which just performs the operation as is expected, it monitors and conditionally changes the data returned to the guest based on arbitrary criteria.

Fun fact: CPUID is commonly used in these time based detection routines because it is an unconditionally exiting instruction as well as an unprivileged serializing instruction. This means that CPUID acts as a ‘fence‘ and ensures that instructions before or after it are completed and makes the timing independent of typical instructions reordering. One could use instructions like XSETBV which also unconditionally exits, but to ensure independent timing would need to use some sort of FENCE instruction so that no reordering occurs before or after that would affect the timings reliability.

continue reading @ secret.club...

BattlEye communication hook

To combat masses of video game hackers, anti cheat systems need to collect and process a lot of information from clients. This is usually usually done by sending everything to the servers for further analysis, which allows the attackers to circumvent these systems through interesting means, one of them being hijack of the communication routine.

If an anti cheat is trying to detect a certain cheat by, for example, the name of the process that hosts the cheat code, it will usually parse the entire process list and send it to the server. This way of outsourcing the processing prevents cheaters from reverse engineering the blacklisted process names, as all they can see is that the entire process list is sent to the anti cheat server. This is actually becoming more and more prevalent in the anti cheat community, which raises some serious privacy concerns, simply due to the sheer amount of information being sent to a foreign server.

BattlEye, one of the world’s most installed anti cheats, uses such a routine to send data to their master server over UDP. This function is usually referred to as battleye::send or battleye::report (as in my previous articles). It takes two parameters: buffer and size. Every single piece of information sent to the BattlEye servers is passed through this function, making it very lucrative for hackers to intercept, possibly circumventing every single protection as the game can’t report the anomalies if a hacker is the middleman of communcations. Few cheat developers are actively using this method, as most of them lack the technical skills to reverse engineer and deobfuscate the dynamically streamed modules that BattlEye heavily relies on, but in this post i will shed some light on how this communication routine is being actively exploited, and how BattlEye has tried to mitigate it

continue reading @ secret.club...

How Escape from Tarkov ensures game integrity

Game-hacking is an always-changing landscape, and this requires anti-cheat developers to innovate and implement unique, unidentified detection mechanisms. In this article I will shed some light on the mysterious routines that are getting hundreds of cheaters banned in Escape from Tarkov. So let’s start from the beginning.

Escape from Tarkov (herein “Tarkov”) runs on the game engine Unity through Mono, which opens up for some interesting security issues that game-hackers can abuse to gain an advantage while playing. First of all, the Unity game assemblies are very hard to integry-check when they’ve been JIT-compiled. This is because you can’t simply store a hash value1 of the code, as the JIt-compiled methods might differ depending on what processor features are enabled.

This leaves the anti-cheat developers in a tough spot. It is not possible to ensure the integrity of JIT-compiler functions without either:
  • Initialising before the game does then hooking the responsible JIT-engine. This hook can be used to cache hashes for all compiled functions for later comparison
  • Resorting to alternative ways for ensuring game integrity, like checking image metadata.
BattlEye..?
While Tarkov actually has integrity checks (simple file hashing) in their Battlestate Games launcher application, this is trivial to patch out of the executable by opening the launcher executable in a tool like dnSpy and simply removing the entire thing. The fact that this integrity check (internally called “consistency check” in the launcher) was so easy to circumvent, enabled thousands of cheaters to simply patch the game assembly on disk. This could include features such as “wallhack”, “no recoil” et cetera.

It seems like Battlestate Games got tired of this vulnerability, and to fix it, they likely called up the developers of the commercial anti-cheat BattlEye, which they’ve been utilizing for quite some time now. This article will explore a previously-unknown anti-cheat module that is being dynamically streamed and executed to Tarkov players circa 15-20 minutes into their raids.

continue reading @ secret.club...

Cracking BattlEye packet encryption - Escape From Tarkov

Recently, Battlestate Games, the developers of Escape From Tarkov, hired BattlEye to implement encryption on networked packets so that cheaters can’t capture these packets, parse them and use them for their advantage in the form of radar cheats, or otherwise. Today we’ll go into detail about how we broke their encryption in a few hours.

Analysis of EFT
We started first by analyzing Escape From Tarkov itself. The game uses Unity Engine, which uses C#, an intermediate langauge, which means you can very easily view the source code behind the game by opening it in tools like ILDasm or dnSpy. Our tool of choice for this analysis was dnSpy.

Unity Engine, if not under the IL2CPP option, generates game files and places them under GAME_NAME_Data\Managed, in this case it’s EscapeFromTarkov_Data\Managed. This folder contains all the dependencies that the engine uses, including the file that contains the game’s code which is Assembly-CSharp.dll, we loaded this file in dnSpy then searched for the string encryption, which landed us here:

1598243831963.png


This segment is in a class called EFT.ChannelCombined, which is the class that handles networking as you can tell by the arguments passed to it:

1598243837162.png


Right clicking on channelCombined.bool_2, which is the variable they log as an indicator for whether encryption was enabled or not, then clicking Analyze, shows us that it’s referenced by 2 methods...

continue reading at secret.club....
 
Last edited:

niceone

Newbie
Full Member
Mar 26, 2016
26
264
0
Hallo,
im trying to bypass Battleye (the AC from Rainbow Six Siege), so i can inject a dll into the game.

If i try to inject with extreme injector, it says "Unable to find kernel32.dll in the specified process" - this sould come from the memory protection from BE - if i disable the service i can inject the file without any problem.

I tryed to bypass BE with PCHunter and signed dll's - if BE detects PCHunter it kills him self (a bit confusing), i i try to inject the signed dll (custom created Microsoft certificate) it still outputs the kernel32 error.

Can someone help me please?
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,313
37,938
271
Battleye blocks usermode access to a process by conventional means via ObRegisterCallbacks ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx )

In order to circumvent that, you'd want to find one of the methods that works in usermode, or write a driver and circumvent it that way, you can do that in a few ways, hook their driver, collide with their callbacks, or simply remove their callbacks ( https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/ )
 

iPower

Former game hacker
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
608
23,508
68
I'm currently reversing BE, ran my kernel tracer and logged everything to a file so I'm gonna post a dump for BEDaisy and some logs generated by the tracer, might help someone that's reversing it.
 

Attachments

You can download 0 Attachments

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
I'm currently reversing BE, ran my kernel tracer and logged everything to a file so I'm gonna post a dump for BEDaisy and some logs generated by the tracer, might help someone that's reversing it.
Awesome dude, thanks for sharing
First thing I'd do is look at this
Code:
[ LuluVisor ] TM -> KM Transition! Function called: ObRegisterCallbacks
[ LuluVisor ] Function called at: BEDaisy.sys+0028919c
 

MiLkMaN

Newbie
Feb 3, 2016
3
32
0
Battleye blocks usermode access to a process by conventional means via ObRegisterCallbacks ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx )

In order to circumvent that, you'd want to find one of the methods that works in usermode, or write a driver and circumvent it that way, you can do that in a few ways, hook their driver, collide with their callbacks, or simply remove their callbacks ( https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/ )
Maybe this worked in Arma3, but it never worked in Rainbow Six. I tried the week they added BattlEye, you can't even join an online game if you block the callbacks this way.
 

iPower

Former game hacker
Escobar Tier VIP
Fleep Tier Donator
Jun 29, 2017
608
23,508
68
Wasn't going to post this because BattlEye sucks but here are some logs for Fortnite's BEDaisy (the BattlEye driver)

Full log in attachment, here is a sample:
Code:
00014836    4.13053322    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014837    4.13055086    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014838    4.13056660    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014839    4.13088560    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014840    4.13105822    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014841    4.13389587    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014842    4.13482237    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014843    4.13521767    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014844    4.13611221    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014845    4.13613081    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014846    4.13614798    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014847    4.13617611    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014848    4.13649130    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014849    4.13653374    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014850    4.13656998    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014851    4.13659143    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014852    4.13699818    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014853    4.13701344    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014854    4.13702917    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014855    4.13710880    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014856    4.13729477    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014857    4.13735914    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014858    4.13737535    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014859    4.13739061    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014860    4.13747358    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014861    4.13748884    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014862    4.13750410    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014863    4.13826370    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014864    4.13846731    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014865    4.13859940    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014866    4.13885021    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014867    4.13927364    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014868    4.13948727    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014869    4.13971090    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014870    4.13981819    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014871    4.13987064    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014872    4.13989210    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014873    4.13998890    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014874    4.14002800    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014875    4.14014053    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014876    4.14017868    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014877    4.14083862    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014878    4.14125109    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014879    4.14140081    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa

00014880    4.14149427    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014881    4.14154625    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014882    4.14163017    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014883    4.14212799    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014884    4.14282942    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014885    4.14314699    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014886    4.14318991    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af705
00014887    4.14319611    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014888    4.14328003    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af747
00014889    4.14370155    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014890    4.14395666    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af75d
00014891    4.14398813    [ LuluVisor ] ExFreePool - BEDaisy.sys+002af768
00014892    4.14402676    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af773
00014893    4.14420652    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014894    4.14444304    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af829
00014895    4.14446354    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014896    4.14448071    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014897    4.14449692    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014898    4.14451218    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014899    4.14452744    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014900    4.14454269    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014901    4.14454794    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014902    4.14458227    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014903    4.14461327    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014904    4.14462900    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014905    4.14464378    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014906    4.14465904    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014907    4.14467525    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014908    4.14469194    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014909    4.14470720    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014910    4.14472342    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014911    4.14473867    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014912    4.14475441    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014913    4.14476967    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014914    4.14478493    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014915    4.14480019    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014916    4.14481497    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014917    4.14483023    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014918    4.14484644    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014919    4.14486170    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014920    4.14487743    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014921    4.14489365    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014922    4.14490938    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014923    4.14492559    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014924    4.14496899    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af83f
00014925    4.14500809    [ LuluVisor ] ZwClose - BEDaisy.sys+002af84a
00014926    4.14503860    [ LuluVisor ] ZwQueryDirectoryObject - BEDaisy.sys+002af86b
00014927    4.14509201    [ LuluVisor ] RtlCompareUnicodeString - BEDaisy.sys+002af5af
00014928    4.14514256    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014929    4.14520645    [ LuluVisor ] RtlInitUnicodeString - BEDaisy.sys+002af5d0
00014930    4.14524221    [ LuluVisor ] ObOpenObjectByName - BEDaisy.sys+002af5f7
00014931    4.14527512    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af602
00014932    4.14529896    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af60d
00014933    4.14532423    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af618
00014934    4.14536238    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af62e
00014935    4.14539719    [ LuluVisor ] ZwOpenFile - BEDaisy.sys+002af655
00014936    4.14546013    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014937    4.14546824    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af660
00014938    4.14549351    [ LuluVisor ] IoQueryFileDosDeviceName - BEDaisy.sys+002af66b
00014939    4.14554501    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af676
00014940    4.14558697    [ LuluVisor ] ZwClose - BEDaisy.sys+002af681
00014941    4.14564180    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af6ef
00014942    4.14582062    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014943    4.14634514    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014944    4.14710379    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014945    4.14715338    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af705
00014946    4.14727926    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af747
00014947    4.14794207    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af75d
00014948    4.14797974    [ LuluVisor ] ExFreePool - BEDaisy.sys+002af768
00014949    4.14804506    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af773
00014950    4.14867640    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af829
00014951    4.14869499    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014952    4.14871168    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014953    4.14872646    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014954    4.14874172    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014955    4.14875746    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014956    4.14877272    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014957    4.14878798    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014958    4.14880323    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014959    4.14881897    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014960    4.14883423    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014961    4.14884901    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014962    4.14886427    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014963    4.14888048    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014964    4.14889574    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014965    4.14891100    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014966    4.14892578    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014967    4.14894104    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014968    4.14895630    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014969    4.14897203    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014970    4.14898729    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014971    4.14900303    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014972    4.14901829    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014973    4.14903355    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014974    4.14904881    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014975    4.14906454    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014976    4.14907932    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014977    4.14909458    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014978    4.14911032    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014979    4.14913607    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af83f
00014980    4.14915943    [ LuluVisor ] ZwClose - BEDaisy.sys+002af84a
00014981    4.14919424    [ LuluVisor ] ZwQueryDirectoryObject - BEDaisy.sys+002af86b
00014982    4.14923191    [ LuluVisor ] RtlCompareUnicodeString - BEDaisy.sys+002af5af
00014983    4.14926767    [ LuluVisor ] ZwQueryDirectoryObject - BEDaisy.sys+002af86b
00014984    4.14929008    [ LuluVisor ] RtlCompareUnicodeString - BEDaisy.sys+002af5af
00014985    4.14940500    [ LuluVisor ] RtlInitUnicodeString - BEDaisy.sys+002af5d0
00014986    4.14944696    [ LuluVisor ] ObOpenObjectByName - BEDaisy.sys+002af5f7
00014987    4.14948988    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af602
00014988    4.14952040    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af60d
00014989    4.14966393    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af618
00014990    4.14970732    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af62e
00014991    4.14975548    [ LuluVisor ] ZwOpenFile - BEDaisy.sys+002af655
00014992    4.14995956    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af660
00014993    4.14998865    [ LuluVisor ] IoQueryFileDosDeviceName - BEDaisy.sys+002af66b
00014994    4.15011549    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af676
00014995    4.15013981    [ LuluVisor ] ZwClose - BEDaisy.sys+002af681
00014996    4.15021420    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af6ef
00014997    4.15107632    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014998    4.15131855    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014999    4.15345526    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00015000    4.15591192    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00015001    4.15702868    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00015002    4.15706635    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af705
00015003    4.15718412    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af747
00015004    4.15768480    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af75d
00015005    4.15771389    [ LuluVisor ] ExFreePool - BEDaisy.sys+002af768
00015006    4.15774822    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af773
00015007    4.15825272    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af829
 

Attachments

You can download 0 Attachments
Last edited by a moderator:

cNoEvil

Coder
Full Member
Nobleman
Jun 6, 2016
160
1,218
1
you can't leave the callbacks disabled.
here is what you do.

disable callbacks
load your own driver to do read\write and have you external app talk to it.
enable callbacks.
join server.
 

XdarionX

Dying Light Hacker
Dank Tier VIP
Trump Tier Donator
Dank Tier Donator
Mar 30, 2018
896
24,908
118
i have just found this blog about BE, contains a lot of good info....
looks legit, last post is only a week old!
 
Last edited by a moderator:
  • Like
Reactions: Rake and Kleon742

XdarionX

Dying Light Hacker
Dank Tier VIP
Trump Tier Donator
Dank Tier Donator
Mar 30, 2018
896
24,908
118
Everytime he posts something they patch it tho haha but there is plenty of good info there, he's the person working with Riot anticheat I think he has something to do with their new kernel anticheat
i just admire this people reversing high level anticheats and than releasing their reversals publicly even when they know its gonna be patched (but anyway the logic of ac remains same)
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,966
78,998
2,464
@iPower shared some quick infos with me regarding how they detect manually mapped drivers, they do so by searching for system threads which do not belong to any regular kernel module. You can find it in his logs by searching for PsLookupThreadByThreadId & RtlWalkFrameChain

For example:
C++:
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b443c
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b4450
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b45b9
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b443c
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b4450
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b45b9
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b443c
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b4450
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b45b9
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
C++:
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002b0814
[ LuluVisor ] ExFreePool - BEDaisy.sys+002b0896
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b08a5
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab15d
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab04d
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002ab0f1
[ LuluVisor ] PsGetCurrentThreadId - BEDaisy.sys+002afb59
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002afb7a
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002b0814
[ LuluVisor ] ExFreePool - BEDaisy.sys+002b0896
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b08a5
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab15d
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab04d
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002ab0f1
[ LuluVisor ] PsGetCurrentThreadId - BEDaisy.sys+002afb59
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002afb7a
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002b0814
[ LuluVisor ] ExFreePool - BEDaisy.sys+002b0896
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b08a5
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab15d
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab04d
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002ab0f1
[ LuluVisor ] PsGetCurrentThreadId - BEDaisy.sys+002afb59
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002afb7a
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
 

NoNameGod

Full Member
Oct 30, 2019
17
178
0
Hi,
I'm very new to reverse engineering anticheat but my goal was to be able to analyse battleye myself. I wanted to dump the BeClientx64.dll but it's ofc protected during runtime. Any tips or projects I could use to be able to dump it? I'm still new to drivers and I'm pretty sure their dll is protected by Daisy and I'm not sure I can even access the dll from kernel (I also don't want to get banned :) . Any clues on how I should procced?
 
Last edited:
Community Mods