This works by abusing how Windows saves memory by re-using pages if they have not been modified, known as Copy on Write. To evade Copy on Write, we obtain the physical address of the pages within the code section of the signed module, and patch directly to that. When Windows loads the dll into the game, no Copy on Write violation would have taken place, thus it would load the dll with our patches
BattlEye does not verify the integrity of the modules within the game. PUBG, on its own, verifies the integrity of various system modules, but not loaded modules by the user. Because the module we are loading is signed, BattlEye will blindly accept it.
- Thread checks
- Windows function calls
- Signature Scans
For this example, just the code section is mapped within the game.
- Xerox for VDM