arrow_upward
BattlEye Cheat Detection
Sobie
Junior Member
Sobie
Junior Member
**
forum
Posts:3
chat
Threads:3
calendar_today
Joined:Feb 2019
thumb_up
Reputation: 0
expand_more
#1
12-02-2019, 10:08 AM
The four main entities are:
  • BEService
    • Windows system service that communicates with the BattlEye server BEServer, which provides BEDaisy and BEClient server-client-communication capabilities.
  • BEDaisy
    • Windows kernel driver that registers preventive callbacks and minifilters to prevent cheaters from modifying the game illicitly.
  • BEClient
    • Windows dynamic link library that is responsible for most of the detection vectors, including the ones in this article. It is mapped into the game process after initialization.
  • BEServer
    • Proprietary backend-server that is responsible for collecting information and taking concrete actions against cheaters.
BattlEye dynamically streams its shellcode from their server to the windows service, known as BEService. This service communicates with the battleye module located inside of the game process, known as BEClient. The communication is done over the named pipe \\.\Battleye and up until last year was unencrypted. Now, all communication is encrypted through a xor cipher with very small keys, making known plaintext attacks trivial. When the shellcode has been streamed to the client, it is allocated and executed outside of any known modules, making distinction easy. To dump the shellcode, you can either hook prevalent windows-api functions like CreateFile, ReadFile, et cetera, and dump any caller’s respective memory section (query memory information on the return address) that is outside of any known module, or periodically scan the game’s virtual memory space for executable memory outside of any known module, and dump it to disk. Make sure to keep track of which sections you have dumped so you do not end up with thousands of identical dumps.
Battleye enumerates the entire address space of the game process (current process in the following context) and runs various checks whenever a page is executable and outside of the respective shellcode memory space.
If you want to read more check the link :

BattlEye Cheat Detection.

Registered Members Only

You need to be a registered member to see more on BattlEye Cheat Detection.
Login or Sign up to get access to a huge variety of top quality leaks.