Guide Anticheat Battleye Bypass Overview

Rake · Dec 2, 2015

Battleye Anticheat Introduction

Battleeye is a popular, mature kernel mode anticheat. That makes it very difficult to bypass, for expert hackers only.

Battleye is used by many games:
ARMA II, ARMA III, DAYZ, H1Z1, Ark Survival Evolved, Surivial Of the Fittest, PlanetSide 2, Rainbow Six Siege, Survarium, Project Argo, Unturned, Insurgency, Day of Infamy, The Isle, Line of Sight, Conan Exiles, Blacshot, Tibia, PUBG, Black Squad, Pantomers, Fortnite, S4League, Zula, Islands of Nyne, BlackLight Retribution, SOS, PIxark, Heroes & Generals, Bless Online & more

We have two guides on general anticheat and general kernel mode drivers which preface this guide:
https://guidedhacking.com/threads/how-to-get-started-with-anticheat-bypass.9882/
https://guidedhacking.com/threads/kernel-mode-drivers-info-for-anticheat-bypass.11325/

Battleye Anticheat is a Kernel Mode Anticheat
Because it is a kernel mode anticheat you will need to be either be below the kernel via a hypervisor/virtual machine or be inside the kernel using a driver.

You can use a VM or hypervisor to dump the Battleye module or to reverse engineer it. Once you have reverse engineering it and you want to make a bypass for a game using the information you learned by reverse engineering Battleye you have two choices:

Make a hack entirely in kernel or make a kernel driver which effectively bypasses Battleye, allowing your usermode module to work without being detected. Your kernel driver will have to allow you to read and write to the game process, maybe allow you to get a process handle so you can inject your DLL. Your bypass must not only bypass the things which block your ability to interact with the process but you must also hide your own hack module so they don't build a signature for your modules.

Battleye games don't allow you to run the game with driver signature enforcement disabled, so you can't simply write your own driver and hack the game. You would have to bypass that detection first. Alternatively you can buy your own code signing certificate but then you can get easily sigged.

Instead you want to use vulnerable drivers including Capcom and others to get your code into the kernel, then bypass Battleye and enable your code to access the game process.

Battleye Features

ObRegisterCallbacks
Battleye blocks usermode access to a process by conventional means via ObRegisterCallbacks, essentially when you call OpenProcess() it will not let you get a handle to the game process so you can't read or write memory or attach a debugger. In order to circumvent that, you'd want to find one of the methods that works in usermode, or write a driver and circumvent it that way, you can do that in a few ways, hook their driver, collide with their callbacks, or simply remove their callbacks, read Douggem's article.

You can see it being called in @iPower 's log

Code:

[ LuluVisor ] TM -> KM Transition! Function called: ObRegisterCallbacks
[ LuluVisor ] Function called at: BEDaisy.sys+0028919c

Battleye has upgraded, updated & it's protection has been improved over many years, just fixing ObRegisterCallbacks is no longer enough to bypass on most games.

Here is a driver source code to disable the process and thread callbacks from anher0:

C++:

#include <ntifs.h>
#include <windef.h>

// Pre-Processor definitions for our I/O control codes.
#define REMOVE_BEOBJECT_CALLBACKS_IOCTL CTL_CODE(FILE_DEVICE_KS, 0x806, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)
#define RESTORE_BEOBJECT_CALLBACKS_IOCTL CTL_CODE(FILE_DEVICE_KS, 0x807, METHOD_BUFFERED, FILE_READ_DATA | FILE_WRITE_DATA)

// Global variable to our device.
PDEVICE_OBJECT deviceObj = NULL;

// QWORD
typedef unsigned __int64 QWORD;

// OLD_CALLBACKS
typedef struct _OLD_CALLBACKS {
    QWORD PreOperationProc;
    QWORD PostOperationProc;
    QWORD PreOperationThread;
    QWORD PostOperationThread;
} OLD_CALLBACKS, *POLD_CALLBACKS;

// CALLBACK_ENTRY
typedef struct _CALLBACK_ENTRY {
    WORD Version; // 0x0
    WORD OperationRegistrationCount; // 0x2
    DWORD unk1; // 0x4
    PVOID RegistrationContext; // 0x8
    UNICODE_STRING Altitude; // 0x10
} CALLBACK_ENTRY, *PCALLBACK_ENTRY; // header size: 0x20 (0x6C if you count the array afterwards - this is only the header. The array of CALLBACK_ENTRY_ITEMs is useless.)

// CALLBACK_ENTRY_ITEM
typedef struct _CALLBACK_ENTRY_ITEM {
    LIST_ENTRY CallbackList; // 0x0
    OB_OPERATION Operations; // 0x10
    DWORD Active; // 0x14
    CALLBACK_ENTRY *CallbackEntry; // 0x18
    PVOID ObjectType; // 0x20
    POB_PRE_OPERATION_CALLBACK PreOperation; // 0x28
    POB_POST_OPERATION_CALLBACK PostOperation; // 0x30
    QWORD unk1; // 0x38
} CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM; // size: 0x40

// Dummy object callback functions.
OB_PREOP_CALLBACK_STATUS DummyObjectPreCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) {
    return(OB_PREOP_SUCCESS);
}
VOID DummyObjectPostCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation) {
    return;
}

QWORD GetCallbackListOffset(void) {
    POBJECT_TYPE procType = *PsProcessType;

    __try {
        if (procType && MmIsAddressValid((void*)procType)) {
            for (int i = 0xF8; i > 0; i -= 8) {
                QWORD first = *(QWORD*)((QWORD)procType + i), second = *(QWORD*)((QWORD)procType + (i + 8));
                if (first && MmIsAddressValid((void*)first) && second && MmIsAddressValid((void*)second)) {
                    QWORD test1First = *(QWORD*)(first + 0x0), test1Second = *(QWORD*)(first + 0x8);
                    if (test1First && MmIsAddressValid((void*)test1First) && test1Second && MmIsAddressValid((void*)test1Second)) {
                        QWORD testObjectType = *(QWORD*)(first + 0x20);
                        if (testObjectType == (QWORD)procType)
                            return((QWORD)i);
                    }
                }
            }
        }
    }
    __except (EXCEPTION_EXECUTE_HANDLER) {
        return(0);
    }
}

void DisableBEObjectCallbacks(POLD_CALLBACKS oldCallbacks) {
    POBJECT_TYPE procType = *PsProcessType;
    if (procType && MmIsAddressValid((void*)procType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, disable the callback.
                                if (curCallback->PreOperation) {
                                    oldCallbacks->PreOperationProc = (QWORD)curCallback->PreOperation;
                                    curCallback->PreOperation = DummyObjectPreCallback;
                                }
                                if (curCallback->PostOperation) {
                                    oldCallbacks->PostOperationProc = (QWORD)curCallback->PostOperation;
                                    curCallback->PostOperation = DummyObjectPostCallback;
                                }
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }

    POBJECT_TYPE threadType = *PsThreadType;
    if (threadType && MmIsAddressValid((void*)threadType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, disable the callback.
                                if (curCallback->PreOperation) {
                                    oldCallbacks->PreOperationThread = (QWORD)curCallback->PreOperation;
                                    curCallback->PreOperation = DummyObjectPreCallback;
                                }
                                if (curCallback->PostOperation) {
                                    oldCallbacks->PostOperationThread = (QWORD)curCallback->PostOperation;
                                    curCallback->PostOperation = DummyObjectPostCallback;
                                }
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }
}

void RestoreBEObjectCallbacks(POLD_CALLBACKS oldCallbacks) {
    POBJECT_TYPE procType = *PsProcessType;
    if (procType && MmIsAddressValid((void*)procType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)procType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)procType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, restore the callback.
                                if (curCallback->PreOperation && oldCallbacks->PreOperationProc)
                                    curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationProc;
                                if (curCallback->PostOperation && oldCallbacks->PostOperationProc)
                                    curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationProc;
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }

    POBJECT_TYPE threadType = *PsThreadType;
    if (threadType && MmIsAddressValid((void*)threadType)) {
        __try {
            QWORD callbackListOffset = GetCallbackListOffset();
            if (callbackListOffset && MmIsAddressValid((void*)((QWORD)threadType + callbackListOffset))) {
                LIST_ENTRY *callbackList = (LIST_ENTRY*)((QWORD)threadType + callbackListOffset);
                if (callbackList->Flink && MmIsAddressValid((void*)callbackList->Flink)) {
                    CALLBACK_ENTRY_ITEM *firstCallback = (CALLBACK_ENTRY_ITEM*)callbackList->Flink;
                    CALLBACK_ENTRY_ITEM *curCallback = firstCallback;

                    do {
                        // Make sure the callback is valid.
                        if (curCallback && MmIsAddressValid((void*)curCallback) && MmIsAddressValid((void*)curCallback->CallbackEntry)) {
                            ANSI_STRING altitudeAnsi = { 0 };
                            UNICODE_STRING altitudeUni = curCallback->CallbackEntry->Altitude;
                            RtlUnicodeStringToAnsiString(&altitudeAnsi, &altitudeUni, 1);

                            if (!strcmp(altitudeAnsi.Buffer, "363220")) { // Check if this is BattlEye. If it is, disable the callback.
                                if (curCallback->PreOperation && oldCallbacks->PreOperationThread)
                                    curCallback->PreOperation = (POB_PRE_OPERATION_CALLBACK)oldCallbacks->PreOperationThread;
                                if (curCallback->PostOperation && oldCallbacks->PostOperationThread)
                                    curCallback->PostOperation = (POB_POST_OPERATION_CALLBACK)oldCallbacks->PostOperationThread;
                                RtlFreeAnsiString(&altitudeAnsi);
                                break;
                            }

                            RtlFreeAnsiString(&altitudeAnsi);
                        }

                        // Get the next callback.
                        curCallback = curCallback->CallbackList.Flink;
                    } while (curCallback != firstCallback);
                }
            }
        }
        __except (EXCEPTION_EXECUTE_HANDLER) {
            return;
        }
    }
}

NTSTATUS ioRecieved(PDEVICE_OBJECT pDeviceObject, PIRP IRP) {
    PIO_STACK_LOCATION pIoStackLocation = IoGetCurrentIrpStackLocation(IRP);
    size_t size = 0;

    // Handle the I/O request if we need to.
    if (pIoStackLocation->Parameters.DeviceIoControl.IoControlCode == REMOVE_BEOBJECT_CALLBACKS_IOCTL){
        OLD_CALLBACKS oldCallbacks = { 0 };
        DisableBEObjectCallbacks(&oldCallbacks);
        memcpy(IRP->AssociatedIrp.SystemBuffer, &oldCallbacks, sizeof(OLD_CALLBACKS));
        size = sizeof(OLD_CALLBACKS);
    }
    if (pIoStackLocation->Parameters.DeviceIoControl.IoControlCode == RESTORE_BEOBJECT_CALLBACKS_IOCTL) {
        RestoreBEObjectCallbacks((POLD_CALLBACKS)IRP->AssociatedIrp.SystemBuffer);
        size = 0;
    }

    // Finish off.
    IRP->IoStatus.Status = STATUS_SUCCESS;
    IRP->IoStatus.Information = size;
    IofCompleteRequest(IRP, IO_NO_INCREMENT);
    return(STATUS_SUCCESS);
}

NTSTATUS CatchCreate(PDRIVER_OBJECT pDriverObject) {
    return(STATUS_SUCCESS);
}

NTSTATUS CatchClose(PDRIVER_OBJECT pDriverObject) {
    return(STATUS_SUCCESS);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {
    // Create the device and get everything set up.
    UNICODE_STRING deviceNameUnicodeString = { 0 }, deviceSymLinkUnicodeString = { 0 };
    RtlInitUnicodeString(&deviceNameUnicodeString, L"\\Device\\mmarkdrv");
    RtlInitUnicodeString(&deviceSymLinkUnicodeString, L"\\DosDevices\\mmarkdrv");
    IoCreateDevice(pDriverObject, 0, &deviceNameUnicodeString, FILE_DEVICE_KS, FILE_DEVICE_SECURE_OPEN, 0, &deviceObj);
    IoCreateSymbolicLink(&deviceSymLinkUnicodeString, &deviceNameUnicodeString);

    // Get all the major functions set up.
    pDriverObject->MajorFunction[IRP_MJ_CREATE] = CatchCreate;
    pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CatchClose;
    pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ioRecieved;

    return(STATUS_SUCCESS);
}

Battleye Blacklists certain modules by using different signatures to identify them, such as timestamps.

Here is an example of some of iPower's logs from his hypervisor, which show you what BE is doing in Fortnite:

Code:

[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     PsGetThreadProcessId    -    BEDaisy.sys+002ad3ff
[ LuluVisor ]     IoThreadToProcess    -    BEDaisy.sys+002ad435
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad44c
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af705
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af747
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af75d
[ LuluVisor ]     ExFreePool    -    BEDaisy.sys+002af768
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af773
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af829
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af83f
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af84a
[ LuluVisor ]     ZwQueryDirectoryObject    -    BEDaisy.sys+002af86b
[ LuluVisor ]     RtlCompareUnicodeString    -    BEDaisy.sys+002af5af
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     RtlInitUnicodeString    -    BEDaisy.sys+002af5d0
[ LuluVisor ]     ObOpenObjectByName    -    BEDaisy.sys+002af5f7
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af602
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af60d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af618
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af62e
[ LuluVisor ]     ZwOpenFile    -    BEDaisy.sys+002af655
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af660
[ LuluVisor ]     IoQueryFileDosDeviceName    -    BEDaisy.sys+002af66b
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af676
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af681
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af6ef
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af705
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af747
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af75d
[ LuluVisor ]     ExFreePool    -    BEDaisy.sys+002af768
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af773
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af829
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002b29b3
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af83f
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af84a
[ LuluVisor ]     ZwQueryDirectoryObject    -    BEDaisy.sys+002af86b
[ LuluVisor ]     RtlCompareUnicodeString    -    BEDaisy.sys+002af5af
[ LuluVisor ]     ZwQueryDirectoryObject    -    BEDaisy.sys+002af86b
[ LuluVisor ]     RtlCompareUnicodeString    -    BEDaisy.sys+002af5af
[ LuluVisor ]     RtlInitUnicodeString    -    BEDaisy.sys+002af5d0
[ LuluVisor ]     ObOpenObjectByName    -    BEDaisy.sys+002af5f7
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af602
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af60d
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af618
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af62e
[ LuluVisor ]     ZwOpenFile    -    BEDaisy.sys+002af655
[ LuluVisor ]     ObReferenceObjectByHandle    -    BEDaisy.sys+002af660
[ LuluVisor ]     IoQueryFileDosDeviceName    -    BEDaisy.sys+002af66b
[ LuluVisor ]     ObfDereferenceObject    -    BEDaisy.sys+002af676
[ LuluVisor ]     ZwClose    -    BEDaisy.sys+002af681
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af6ef
[ LuluVisor ]     PsGetProcessInheritedFromUniqueProcessId    -    BEDaisy.sys+002ad08d
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af6fa
[ LuluVisor ]     _wcsnicmp    -    BEDaisy.sys+002af705
[ LuluVisor ]     MmIsAddressValid    -    BEDaisy.sys+002af747
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af75d
[ LuluVisor ]     ExFreePool    -    BEDaisy.sys+002af768
[ LuluVisor ]     KeWaitForMutexObject    -    BEDaisy.sys+002af773
[ LuluVisor ]     KeReleaseMutex    -    BEDaisy.sys+002af829

Detection of Manually Mapped Drivers
@iPower shared some quick infos with me regarding how they detect manually mapped drivers, they do so by searching for system threads which do not belong to any regular kernel module. You can find it in his logs by searching for PsLookupThreadByThreadId & RtlWalkFrameChain
More info : Guide - Anticheat Battleye Bypass Overview

Temporary Bypass for improperly implemented Battleye
It's happened a few times on a couple games where you can just unload the Battleye driver and the game doesn't stop running, it's easy to do, but unlikely it will work on most new games. @gulerardaeren posted this a while back, it has worked previously on Zula, Crossfire, Apex Legends and others as well

STEP 1 : Open The Game

STEP 2 : Open Process Hacker And Find BEService.exe

STEP 3 :Right Click To BEService.exe and click suspend(this will require administator permission)

STEP 4 :Open The Process Hunter and go to the Kernel Module

STEP 4 :Find BEDaisy.sys , right click and click unload driver

STEP 5 :If they didn't patched this method, You can even use cheat engine

Carl Schou vm_call articles
This guy is a wizard when it comes to reverse engineering, he has written a ton of up to date new information. Daax has also co-authored some articles with him
https://vmcall.blog/category/battleye/

secret.club Battleye articles
https://secret.club/2020/02/26/be_umode.html
https://secret.club/2020/03/31/battleye-developer-tracking.html

HyperVisors
Here is just a sample of one of his articles where he talked about hypervisors
The cat and mouse game of game-hacking continues to fuel the innovation of exploitation and mitigation. The usage of virtualization technology in game-hacking has exploded ever since copy-pastable hypervisors such as Satoshi Tanda’s DdiMon and Petr Beneš’ hvpp hit the scene. These two projects are being used by most of the paid cheats in the underground hacking scene, due to their low barrier of entry and extensive documentation. These releases have with high certainty sped up the hypervisor arms race that is now beginning to show its face in the gamehacking community. Here’s what the administrator at one of the worlds largest game-hacking communities, wlan, says about the situation:

With the advent of ready-made hypervisor solutions for game hacking it’s become unavoidable for anti-cheats such as BattlEye to focus on generic virtualization detections

The reason hypervisors are so wide-spread now is because of recent developments in kernel anti-cheats leaving very little room for hackers to modify games through traditional means. The popularity of hypervisors could be explained by the simplicity of evasion, since virtualization enables you to more easily hide information from the anti-cheat, through mechanisms such as syscall hooks and MMU virtualization.

BattlEye has recently implemented a detection of generic hypervisors such as the previously mentioned platforms (DdiMon, hvpp) using time-based detection. This detection aims to spot abnormal time values in the instruction CPUID. CPUID is a relatively cheap instruction on real hardware, and will generally only require two hundred cycles, where as in a virtualized environment it may take up to ten times as long due to the overhead incurred by an introspective engine. An introspective engine is not like any real hardware which just performs the operation as is expected, it monitors and conditionally changes the data returned to the guest based on arbitrary criteria.

vm_call shared with the community a incomplete list of functions they put a vectored exception handle on and analyze including:

GetAsyncKeyState
GetCursorPos
IsBadReadPtr
NtUserGetAsyncKeyState
GetForegroundWindow
CallWindowProcW
NtUserPeekMessage
NtSetEvent
sqrtf
__stdio_common_vsprintf_s
CDXGIFactory::TakeLock
TppTimerpExecuteCallback

Dump Modules
The first thing you need to do to reverse engineer battleeye is to dump the system driver from memory, you will find a couple pre-made dumps below. Once you have the dumps you can load them into IDA Pro and start looking around.

GH Resources
iPower BE Logs & BEDaisy.sys Module Dump
iPower Fortnite BE Logs
02/07/2020 BEDaisy.sys dump
Old Battleye Bypass Source Code
Release - BattlEye Bypass [+Tested on Rainbow Six Siege] (Driver) (Source)
c5's old IDA Scripts for Analyzing BE

External Resources
The most important thing you can do to learn about BattleEye is to watch this video made by the DayZ developers about how Battleye helps them stop cheaters. This is also an excellent video for anyone wanting to learn about anticheat.

Checkout Douggem's site for good info and his video:

https://vmcall.blog/category/battleye/
secret club
vmcall/battleye_emulation - battleye usermode emulator
vmcall/eye_mapper - BattlEye x64 usermode injector (patched)
ArcherPeng/FuckBattlEye - Anticheat Bypass exploiting leaked handles.
Tai7sy/BE_Fuck - BattlEye Emulator
gigabitwize/dank - windows 8.1 battleye bypass
daswareinfach/Battleye-VAC-EAC-Kernel-Bypass
https://github.com/huoji120/battleye/blob/master/code.c random battleye code
ContionMig/LSASS-Usermode-Bypass
ACmagic/ByPass_BattleEye
Schnocker/HLeaker
yunseok/HWIDbypass
Neijwiert/Feeder

Attachments
I have attached a bunch of files from github and other places in case they get deleted, many of these are copies of the files in the links above

[GH]Bot · Dec 12, 2016

So with battleye getting HWID bans a few months back i looked into a few methods to change serial numbers with hardware. These methods are pretty straight forward so this isnt going to be long
1) WD 2.5Inch hdds [i dont recommend this so im not going into detail]
Certain WD drives maybe some Hitachi ones too (due to the type of method) could be loaded up with new firmware, this was primarily used in the Xbox 360 community to get a larger drive without paying the xbox tax.
You need HDDHackr, MS-DOS (usb flash drive), Bios to be in IDE mode (just for dos)
**HDD must be connected by sata**
then get either an undo.bin (you can try dumping from the program but it didnt work for me) for your exact drive or an HDDSS.bin
once you have that go into Hex workshop or whatever you want to use to edit it and change the serial number.

create a msdos usb (freedos may work but might be buggy)
put hddhackr and the .bin file on the usb
start hddhackr in dos
use restore or flash to write to the hdd and youre done.
2) USB External docks.
yep, i shit you not. not sure why this hasnt been mentioned before. they work you just need one that has a SOIC8 chip on the board as this is what usually contains the hdd info.

novatech docking station. (they dont make these any more but they were just rebranded)
im yet to receive my chip reader/writer board but you should be able to just write to the chip with one. Battleye cant ban that serial number because let think about it there will be 100s of people running usb hdds
maybe they can detect it, in that case use method 1 as i cannot think of any way they could detect you ran a program out of your os and it would look like a normal drive with a normal serial and a normal manufacturer etc
rip hdd serial anti cheat detection.

Rake · Jul 25, 2019

Bypassing BattlEye from user-mode

Today we’ll talk about how BattlEye does integrity checks for loaded images, as well as implementing a work-around for these checks.

Image integrity checks
BattlEye does checks on images that get loaded by opening a handle to the file on disk with CreateFile, after this handle’s open, it retrieves certificate details for the file, and checks if it’s one of the blacklisted certificates. If it is, the file gets blocked from loading and BattlEye notifies you that a blacklisted file was attempting load.

Continue reading @ secret.club - Bypassing BattlEye from user-mode

BattlEye reverse engineer tracking

Preface
Modern commercial anti-cheats are faced by an increasing competetiveness in professional game-hack production, and thus have begun implementing questionable methods to prevent this. In this article, we will present a previously unknown anti-cheat module, pushed to a small fraction of the player base by the commercial anti-cheat BattlEye. The prevalent theory is that this module is specifically targeted against reverse engineers, to monitor the production of video game hacking tools, due to the fact that this is dynamically pushed.

Shellcode ??
The code snippets in this article are beautified decompilations of shellcode that we’ve dumped and deobfuscated from BattlEye...

Continue reading @ BattlEye reverse engineer tracking - secret.club

BattlEye anticheat: analysis and mitigation

BattlEye is a prevalent german third-party anti-cheat primarily developed by the 32-year-old founder Bastian Heiko Suter. It provides game publishers easy-to-use anti-cheat solutions, using generic protection mechanisms and game-specific detections to provide optimal security, or at least tries to. As their website states, they are always staying on top of state-of-the-art technologies and utilizing innovative methods of protection and detection, evidently due to their nationality: QUALITY MADE IN GERMANY. BattlEye consists of multiple organs that work together to catch and prevent cheaters in the respective games that pay them. The four main entities are:

BEService - Windows system service that communicates with the BattlEye server BEServer, which provides BEDaisy and BEClient server-client-communication capabilities.
BEDaisy - Windows kernel driver that registers preventive callbacks and minifilters to prevent cheaters from modifying the game illicitly.
BEClient - Windows dynamic link library that is responsible for most of the detection vectors, including the ones in this article. It is mapped into the game process after initialization.
BEServer - Proprietary backend-server that is responsible for collecting information and taking concrete actions against cheaters.

Shellcode
Recently, a dump of BattlEye’s shellcode surfaced on the internet, and we decided to make a write-up of what exactly the current iteration of BattlEye is actively looking for. We have not worked on BattlEye for the past 6 months, so the last piece of shellcode we have dumped is most likely obsolete. Miscellaneous parts of code were recognized completely from memory in this recent dump, suggesting that BattlEye only appends to the shellcode and does not remove previous detection procedures.

continue reading at secret.club...

Rake · Jul 26, 2019

BattlEye shellcode updates

Anticheats change as time goes on, features come and go to maximize the efficiency of the product. I did a complete write-up of BattlEye’s shellcode a year ago on my blog, and this article will merely reflect the changes that have been made to said shellcode.

Blacklisted Timestamps
Last time I analyzed BattlEye, there were only two compile-time datestamps in the shadowban ban list, and it seems like they’ve decided to add a lot more:

0x5B12C900 (action_x64.dll)
0x5A180C35 (TerSafe.dll, Epic Games)
0xFC9B9325 (?)
0x456CED13 (d3dx9_32.dll)
0x46495AD9 (d3dx9_34.dll)
0x47CDEE2B (d3dx9_32.dll)
0x469FF22E (d3dx9_35.dll)
0x48EC3AD7 (D3DCompiler_40.dll)
0x5A8E6020 (?)
0x55C85371 (d3dx9_32.dll)
0x456CED13 (?)
0x46495AD9 (D3DCompiler_40.dll)
0x47CDEE2B (D3DX9_37.dll)
0x469FF22E (?)
0x48EC3AD7 (?)
0xFC9B9325 (?)
0x5A8E6020 (?)
0x55C85371 (?)

I’ve failed to identify the rest of the timestamps, and the two 0xF******* are hashes produced by visual studio reproducible builds. If anyone can identify the timestamps, please hit me up on twitter

Thanks to @mottikraus and T0B1 for identifying some of the timestamps.

continue reading @ secret.club...

Battleye Stack Walking

With game-hacking being a continuous cat and mouse game, rumours about new techniques spread like fire. As such in this blog post we will take a look into one of the new heuristic techniques that BattlEye, a large anti-cheat provider, has recently added to its arsenal. Most widely known as stack walking This is usually done by hooking a function and traversing the stack to find out who exactly is calling said function. Why would one do this? Just like any other program, video game hacks have a set of well known functions that they utilize to get keyboard information, print to the console or calculate certain mathematical expressions. Video game hacks also like to attempt to hide their existence, be it in memory or on disk, so that the anti-cheat software does not find it. What these cheat programs forget is that they regularly call functions in other libraries, and this can be exploited to heuristically detect unknown cheats. By implementing a stack walking engine on prevalent functions like std:

rint, you will be able to find these cheats even if they disguise themselves.

BattlEye has implemented “stack walking”, even though this has not been publicly proved and prior to this article was just rumors. Note the quotes around stack walking, because what you will see here is not true stack walking, this is merely a return address check and a caller dump combined. A true stack walker would traverse the stack and generate a proper callstack.

continue reading @ secret.club...

Kristusoffer · Jul 26, 2019

Ty for reply i got it to work

Lukor said:
You don't seem to be ready to work with any kind of AC. Otherwise read the thread before posting as the necessary steps (at that time) were already posted.

Kristusoffer · Jul 26, 2019

Kristusoffer said:
Ty for reply i got it to work

I made a copie of the thingy that checks if the game got a handle. Then just made readprocces on that

niceone · Aug 9, 2019

Hallo,
im trying to bypass Battleye (the AC from Rainbow Six Siege), so i can inject a dll into the game.

If i try to inject with extreme injector, it says "Unable to find kernel32.dll in the specified process" - this sould come from the memory protection from BE - if i disable the service i can inject the file without any problem.

I tryed to bypass BE with PCHunter and signed dll's - if BE detects PCHunter it kills him self (a bit confusing), i i try to inject the signed dll (custom created Microsoft certificate) it still outputs the kernel32 error.

Can someone help me please?

mambda · Aug 9, 2019

Battleye blocks usermode access to a process by conventional means via ObRegisterCallbacks ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx )

In order to circumvent that, you'd want to find one of the methods that works in usermode, or write a driver and circumvent it that way, you can do that in a few ways, hook their driver, collide with their callbacks, or simply remove their callbacks ( https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/ )

niceone · Aug 10, 2019

Thank you, i will read the links you posted later

iPower · Nov 24, 2019

I'm currently reversing BE, ran my kernel tracer and logged everything to a file so I'm gonna post a dump for BEDaisy and some logs generated by the tracer, might help someone that's reversing it.

Rake · Nov 25, 2019

iPower said:
I'm currently reversing BE, ran my kernel tracer and logged everything to a file so I'm gonna post a dump for BEDaisy and some logs generated by the tracer, might help someone that's reversing it.

Awesome dude, thanks for sharing
First thing I'd do is look at this

Code:

[ LuluVisor ] TM -> KM Transition! Function called: ObRegisterCallbacks
[ LuluVisor ] Function called at: BEDaisy.sys+0028919c

MiLkMaN · Nov 27, 2019

mambda said:
Battleye blocks usermode access to a process by conventional means via ObRegisterCallbacks ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff558692(v=vs.85).aspx )

In order to circumvent that, you'd want to find one of the methods that works in usermode, or write a driver and circumvent it that way, you can do that in a few ways, hook their driver, collide with their callbacks, or simply remove their callbacks ( https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/ )

Maybe this worked in Arma3, but it never worked in Rainbow Six. I tried the week they added BattlEye, you can't even join an online game if you block the callbacks this way.

iPower · Dec 15, 2019

Wasn't going to post this because BattlEye sucks but here are some logs for Fortnite's BEDaisy (the BattlEye driver)

Full log in attachment, here is a sample:

Code:

00014836    4.13053322    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014837    4.13055086    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014838    4.13056660    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014839    4.13088560    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014840    4.13105822    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014841    4.13389587    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014842    4.13482237    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014843    4.13521767    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014844    4.13611221    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014845    4.13613081    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014846    4.13614798    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014847    4.13617611    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014848    4.13649130    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014849    4.13653374    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014850    4.13656998    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014851    4.13659143    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014852    4.13699818    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014853    4.13701344    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014854    4.13702917    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014855    4.13710880    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014856    4.13729477    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014857    4.13735914    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014858    4.13737535    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014859    4.13739061    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014860    4.13747358    [ LuluVisor ] PsGetThreadProcessId - BEDaisy.sys+002ad3ff
00014861    4.13748884    [ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002ad435
00014862    4.13750410    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad44c
00014863    4.13826370    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014864    4.13846731    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014865    4.13859940    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014866    4.13885021    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014867    4.13927364    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014868    4.13948727    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014869    4.13971090    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014870    4.13981819    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014871    4.13987064    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014872    4.13989210    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014873    4.13998890    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014874    4.14002800    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014875    4.14014053    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014876    4.14017868    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014877    4.14083862    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014878    4.14125109    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014879    4.14140081    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa

00014880    4.14149427    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014881    4.14154625    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014882    4.14163017    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014883    4.14212799    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014884    4.14282942    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014885    4.14314699    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014886    4.14318991    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af705
00014887    4.14319611    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014888    4.14328003    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af747
00014889    4.14370155    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014890    4.14395666    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af75d
00014891    4.14398813    [ LuluVisor ] ExFreePool - BEDaisy.sys+002af768
00014892    4.14402676    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af773
00014893    4.14420652    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014894    4.14444304    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af829
00014895    4.14446354    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014896    4.14448071    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014897    4.14449692    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014898    4.14451218    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014899    4.14452744    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014900    4.14454269    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014901    4.14454794    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014902    4.14458227    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014903    4.14461327    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014904    4.14462900    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014905    4.14464378    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014906    4.14465904    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014907    4.14467525    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014908    4.14469194    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014909    4.14470720    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014910    4.14472342    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014911    4.14473867    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014912    4.14475441    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014913    4.14476967    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014914    4.14478493    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014915    4.14480019    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014916    4.14481497    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014917    4.14483023    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014918    4.14484644    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014919    4.14486170    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014920    4.14487743    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014921    4.14489365    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014922    4.14490938    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014923    4.14492559    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014924    4.14496899    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af83f
00014925    4.14500809    [ LuluVisor ] ZwClose - BEDaisy.sys+002af84a
00014926    4.14503860    [ LuluVisor ] ZwQueryDirectoryObject - BEDaisy.sys+002af86b
00014927    4.14509201    [ LuluVisor ] RtlCompareUnicodeString - BEDaisy.sys+002af5af
00014928    4.14514256    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014929    4.14520645    [ LuluVisor ] RtlInitUnicodeString - BEDaisy.sys+002af5d0
00014930    4.14524221    [ LuluVisor ] ObOpenObjectByName - BEDaisy.sys+002af5f7
00014931    4.14527512    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af602
00014932    4.14529896    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af60d
00014933    4.14532423    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af618
00014934    4.14536238    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af62e
00014935    4.14539719    [ LuluVisor ] ZwOpenFile - BEDaisy.sys+002af655
00014936    4.14546013    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014937    4.14546824    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af660
00014938    4.14549351    [ LuluVisor ] IoQueryFileDosDeviceName - BEDaisy.sys+002af66b
00014939    4.14554501    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af676
00014940    4.14558697    [ LuluVisor ] ZwClose - BEDaisy.sys+002af681
00014941    4.14564180    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af6ef
00014942    4.14582062    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014943    4.14634514    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014944    4.14710379    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014945    4.14715338    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af705
00014946    4.14727926    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af747
00014947    4.14794207    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af75d
00014948    4.14797974    [ LuluVisor ] ExFreePool - BEDaisy.sys+002af768
00014949    4.14804506    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af773
00014950    4.14867640    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af829
00014951    4.14869499    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014952    4.14871168    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014953    4.14872646    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014954    4.14874172    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014955    4.14875746    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014956    4.14877272    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014957    4.14878798    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014958    4.14880323    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014959    4.14881897    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014960    4.14883423    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014961    4.14884901    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014962    4.14886427    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014963    4.14888048    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014964    4.14889574    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014965    4.14891100    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014966    4.14892578    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014967    4.14894104    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014968    4.14895630    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014969    4.14897203    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014970    4.14898729    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014971    4.14900303    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014972    4.14901829    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014973    4.14903355    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014974    4.14904881    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014975    4.14906454    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014976    4.14907932    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014977    4.14909458    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014978    4.14911032    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002b29b3
00014979    4.14913607    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af83f
00014980    4.14915943    [ LuluVisor ] ZwClose - BEDaisy.sys+002af84a
00014981    4.14919424    [ LuluVisor ] ZwQueryDirectoryObject - BEDaisy.sys+002af86b
00014982    4.14923191    [ LuluVisor ] RtlCompareUnicodeString - BEDaisy.sys+002af5af
00014983    4.14926767    [ LuluVisor ] ZwQueryDirectoryObject - BEDaisy.sys+002af86b
00014984    4.14929008    [ LuluVisor ] RtlCompareUnicodeString - BEDaisy.sys+002af5af
00014985    4.14940500    [ LuluVisor ] RtlInitUnicodeString - BEDaisy.sys+002af5d0
00014986    4.14944696    [ LuluVisor ] ObOpenObjectByName - BEDaisy.sys+002af5f7
00014987    4.14948988    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af602
00014988    4.14952040    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af60d
00014989    4.14966393    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af618
00014990    4.14970732    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af62e
00014991    4.14975548    [ LuluVisor ] ZwOpenFile - BEDaisy.sys+002af655
00014992    4.14995956    [ LuluVisor ] ObReferenceObjectByHandle - BEDaisy.sys+002af660
00014993    4.14998865    [ LuluVisor ] IoQueryFileDosDeviceName - BEDaisy.sys+002af66b
00014994    4.15011549    [ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002af676
00014995    4.15013981    [ LuluVisor ] ZwClose - BEDaisy.sys+002af681
00014996    4.15021420    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af6ef
00014997    4.15107632    [ LuluVisor ] PsGetProcessInheritedFromUniqueProcessId - BEDaisy.sys+002ad08d
00014998    4.15131855    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00014999    4.15345526    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00015000    4.15591192    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00015001    4.15702868    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af6fa
00015002    4.15706635    [ LuluVisor ] _wcsnicmp - BEDaisy.sys+002af705
00015003    4.15718412    [ LuluVisor ] MmIsAddressValid - BEDaisy.sys+002af747
00015004    4.15768480    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af75d
00015005    4.15771389    [ LuluVisor ] ExFreePool - BEDaisy.sys+002af768
00015006    4.15774822    [ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002af773
00015007    4.15825272    [ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002af829

cNoEvil · Dec 30, 2019

you can't leave the callbacks disabled.
here is what you do.

disable callbacks
load your own driver to do read\write and have you external app talk to it.
enable callbacks.
join server.

XdarionX · Feb 4, 2020

i have just found this blog about BE, contains a lot of good info....
https://vmcall.blog/
looks legit, last post is only a week old!

Rake · Feb 4, 2020

XdarionX said:
i have just found this blog about BE, contains a lot of good info....
https://vmcall.blog/
looks legit, last post is only a week old!

Everytime he posts something they patch it tho haha but there is plenty of good info there, he's the person working with Riot anticheat I think he has something to do with their new kernel anticheat

XdarionX · Feb 5, 2020

Rake said:
Everytime he posts something they patch it tho haha but there is plenty of good info there, he's the person working with Riot anticheat I think he has something to do with their new kernel anticheat

i just admire this people reversing high level anticheats and than releasing their reversals publicly even when they know its gonna be patched (but anyway the logic of ac remains same)

M47Z · Feb 6, 2020

BattleEye Driver Dump:
Virustotal Analsys: https://www.virustotal.com/gui/file/afb21a8f377059fe32efdd0af7b5436195c3ddaa89b890adb2a8d007f4f2c3df/

Rake · Feb 7, 2020

I just re-wrote this thread, if you have anything to add please post in the replies!

Rake · Feb 7, 2020

@iPower shared some quick infos with me regarding how they detect manually mapped drivers, they do so by searching for system threads which do not belong to any regular kernel module. You can find it in his logs by searching for PsLookupThreadByThreadId & RtlWalkFrameChain

For example:

C++:

[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b443c
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b4450
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b45b9
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b443c
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b4450
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b45b9
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b443c
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b4450
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b45b9
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b441b
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] IoThreadToProcess - BEDaisy.sys+002b4670
[ LuluVisor ] IoGetCurrentProcess - BEDaisy.sys+002b468d
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b4708
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002b4651

C++:

[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002b0814
[ LuluVisor ] ExFreePool - BEDaisy.sys+002b0896
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b08a5
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab15d
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab04d
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002ab0f1
[ LuluVisor ] PsGetCurrentThreadId - BEDaisy.sys+002afb59
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002afb7a
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002b0814
[ LuluVisor ] ExFreePool - BEDaisy.sys+002b0896
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b08a5
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab15d
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab04d
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002ab0f1
[ LuluVisor ] PsGetCurrentThreadId - BEDaisy.sys+002afb59
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002afb7a
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002b0814
[ LuluVisor ] ExFreePool - BEDaisy.sys+002b0896
[ LuluVisor ] ObfDereferenceObject - BEDaisy.sys+002b08a5
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab15d
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002ab04d
[ LuluVisor ] KeReleaseMutex - BEDaisy.sys+002ab0f1
[ LuluVisor ] PsGetCurrentThreadId - BEDaisy.sys+002afb59
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002afb7a
[ LuluVisor ] ExAllocatePool - BEDaisy.sys+002afb9f
[ LuluVisor ] KeInitializeEvent - BEDaisy.sys+002afbe3
[ LuluVisor ] KeInitializeApc - BEDaisy.sys+002afc35
[ LuluVisor ] KeInsertQueueApc - BEDaisy.sys+002afc64
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afca2
[ LuluVisor ] RtlWalkFrameChain - BEDaisy.sys+002afa26
[ LuluVisor ] KeWaitForMutexObject - BEDaisy.sys+002afcdf
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4
[ LuluVisor ] PsLookupThreadByThreadId - BEDaisy.sys+002aadb4

Thread starter	Similar threads	Forum	Replies	Date
	Tutorial BattlEye anticheat: analysis and mitigation	AntiCheat - AntiDebug	0	Apr 27, 2020
	Off Topic How can Someone get into Anticheat Development	Off Topic	3	Jul 30, 2020
X	Question How to bypass Rules of Survival anticheat	DirectX & Direct3D Tutorials & Source Codes	6	Jul 27, 2020
	Discuss I Finally Did It! I made a kernel anticheat bypass	General Hacking Discussion	11	Jul 24, 2020
	Guide GHB4 - Anti-Debug, AntiCheat & Kernel Mode	The Game Hacking Bible - Learn How to Hack Games	0	Jul 10, 2020
	Discuss Valorant Anticheat - Vanguard - No Outrage Necessary	AntiCheat - AntiDebug	3	Apr 18, 2020
	Question Low Level Methods of Sending Mouse Input that bypass anticheat	C / C++ Coding and Game Hacking	16	Feb 9, 2020
H	Solved debugging anticheat and disable driver signature enforcement	AntiCheat - AntiDebug	6	Dec 7, 2019
E	Solved Help me to understand this Anticheat java code	Questions & Answers - Hacking Help	4	Dec 5, 2019
	Source Code Good Roblox Anticheat Bypass Information	Roblox Hacks & Cheats	2	Nov 14, 2019

Guide Anticheat Battleye Bypass Overview

Cesspool Admin

Attachments

Cesspool Admin

Cesspool Admin

Newbie

Newbie

Newbie

headass

Newbie

Piece of shit

Attachments

Cesspool Admin

Newbie

Piece of shit

Attachments

Coder

Dying Light Hacker

Cesspool Admin

Dying Light Hacker

Attachments

Cesspool Admin

Cesspool Admin