- User ID
- 18290
- Messages
- 33
- Reactions
- 28
- Level
- 25
How to dumb modules:
You can use a VM or hypervisor to dump the Battleye module and reverse engineer it. Just remeber that BE does have some emulation detection.
Battleye's Components:
BEService - Windows service that communicates with BEServer, which provides BEDaisy and BEClient communication capabilities
BEDaisy - The driver that battleye utilizes
BEClient - usermode DLL that is responsible for most of the detection vectors, it is mapped into the game process after initialization
BEServer - backend-server that is responsible for collecting information and taking concrete actions against cheaters
Features it has:
Debugger detection
Signature based detection of known cheats
Open game process handles
Detection of manually mapped modules, i.e. executable pages not backed by a image on disk
Process handle creation is blocked
Overlays detection
Steam Overlay hooks and hacks embedded in steam process's
lsass.exe modifications
Game files integrity checks
TCP connections to cheat sites
Module name and timestamp blacklist
Certificate blacklist
Driver blacklist
Sack walking
SIngle stepping to detect code outside of usermode memory range
Hypervisor detection
Things that it scans while operating:
All running processes
All device drivers
All window names
How to map drivers to battleye:
For this part you need an intel processor, as KDMapper as it's paste friendly.
To avoid your manually mapped driver getting detected you need to clear PiDDBCacheTable & MmUnloadedDrivers, and stop the enumeration of your own system pools & threads.
Here is a driver that used to be undetected along time ago, but is now surely detected. If you want to use it, you would need to rework the whole thing. You can use it as a learning source, and possibly try to make your own based rom it. If you do want to do that you need "Windowns Driver Kit" to be installed. You can get it from here:
These kernel anti-cheats are praised far too much, and I'm hoping that it's going to end. Kernel anti-cheats can easily be bypassed if you know what you're doing. This anti-cheat can be exploited so you would be able to bypass other kernel anti-cheats with it, for example EAC and vanguard. This proves my point on them being highly vunerable. If you enjoyed this tutorial, or found it helpful, pleaseconsider liking this post.
You can use a VM or hypervisor to dump the Battleye module and reverse engineer it. Just remeber that BE does have some emulation detection.
Battleye's Components:
BEService - Windows service that communicates with BEServer, which provides BEDaisy and BEClient communication capabilities
BEDaisy - The driver that battleye utilizes
BEClient - usermode DLL that is responsible for most of the detection vectors, it is mapped into the game process after initialization
BEServer - backend-server that is responsible for collecting information and taking concrete actions against cheaters
Features it has:
Debugger detection
Signature based detection of known cheats
Open game process handles
Detection of manually mapped modules, i.e. executable pages not backed by a image on disk
Process handle creation is blocked
Overlays detection
Steam Overlay hooks and hacks embedded in steam process's
lsass.exe modifications
Game files integrity checks
TCP connections to cheat sites
Module name and timestamp blacklist
Certificate blacklist
Driver blacklist
Sack walking
SIngle stepping to detect code outside of usermode memory range
Hypervisor detection
Things that it scans while operating:
All running processes
All device drivers
All window names
How to map drivers to battleye:
For this part you need an intel processor, as KDMapper as it's paste friendly.
You must be registered for see links
To avoid your manually mapped driver getting detected you need to clear PiDDBCacheTable & MmUnloadedDrivers, and stop the enumeration of your own system pools & threads.
- PiDDBCacheTable & MmUnloadedDrivers
- system pool detection
- system thread detection
Here is a driver that used to be undetected along time ago, but is now surely detected. If you want to use it, you would need to rework the whole thing. You can use it as a learning source, and possibly try to make your own based rom it. If you do want to do that you need "Windowns Driver Kit" to be installed. You can get it from here:
You must be registered for see links
These kernel anti-cheats are praised far too much, and I'm hoping that it's going to end. Kernel anti-cheats can easily be bypassed if you know what you're doing. This anti-cheat can be exploited so you would be able to bypass other kernel anti-cheats with it, for example EAC and vanguard. This proves my point on them being highly vunerable. If you enjoyed this tutorial, or found it helpful, pleaseconsider liking this post.
