About bypassing the Battleye rootkit
By the way – all I need is to read a games’ memory, I don’t need to write anything. So BE uses ObRegisterCallbacks to strip handles’ access.
Method 1 – So there are methods like rootkits/drivers which get access from kernel mode.
As far as I understand this is what I need:
– 1.1 I write a driver that reads memory and find a method to load it, communicate with my hack by IOCTL
– 1.2 Is DSEfix still undetected to load my driver? E.g. I load it before game and clean up traces
– 1.3 if DSEfix is fine to use, how to clean up traces?
– 1.4 Driver itself is undetectable if it just copies memory?
– 1.5 Do I need to separate my driver in multiple parts, like a „blank“ driver that only loads another driver to read memory? It that overkill?
Method 2 – is to elevate process handle to system access with e.g. ASUS driver exploits.
I’m not sure I understand how it works, so
– 2.1 – I create a handle to a game, elevate access rights and can read normally with ReadProcessMemory?
– 2.2 – Doesn’t Battleye see the handle and ban?
Others:
As I understand there are differences in win7 and later
– Patchguard will BSOD if I try to load patch kernel, which prevents me from loading drivers, right?
– 3.1 – So I should use Win 7 for driver method?
– 3.2 – is DKOM still viable in win10 or win7?
– 3.3 – do I need DKOM to hide my processes?
|