New bypasses for EAC/BE/Other
Been doing some research lately, think we’re hitting the limit of usermode bypasses so i’ll just share two more methods that actually work (Tested) for both BE & EAC (and probably others)
– Virtual filesystem
You own the filesystem the cheat/game is executed on and you can control what pid can access what and what content is read on each read request. A few libraries for that exist that implement the kernel filesystem with usermode api to expand them. One of them is Dokan : https://github.com/dokan-dev/dokany
– Lsass handles
lsass.exe has special privileges, its handles never get stripped due to how Windows work. You can process hollow it and get full access handles or you can dll inject into it or hijack its handles (Hleaker) …
No PoC code tho, i’ll make a universal solution in the coming weeks.
How it works
Dokan library contains a user mode DLL (dokan1.dll) and a kernel mode file system driver (dokan1.sys). Once Dokan file system driver is installed, you can create file systems which can be seen as normal file systems in Windows. The application that creates file systems using Dokan library is called File system application.
File operation requests from user programs (e.g., CreateFile, ReadFile, WriteFile, …) will be sent to the Windows I/O subsystem (runs in kernel mode) which will subsequently forward the requests to the Dokan file system driver (dokan1.sys). By using functions provided by the Dokan user mode library (dokan1.dll), file system applications are able to register callback functions to the file system driver. The file system driver will invoke these callback routines in order to respond to the requests it received. The results of the callback routines will be sent back to the user program.
For example, when Windows Explorer requests to open a directory, the CreateFile with Direction option request will be sent to Dokan file system driver and the driver will invoke the CreateFile callback provided by the file system application. The results of this routine are sent back to Windows Explorer as the response to the CreateFile request. Therefore, the Dokan file system driver acts as a proxy between user programs and file system applications. The advantage of this approach is that it allows programmers to develop file systems in user mode which is safe and easy to debug.