BattlEye Anti-Anti LoadLibrary

So while testing some things against a BattlEye protected again I noticed recently there was an update that prevents LoadLibrary from being utilized even after unloading the Anti-cheat.

First of all I thought, maybe Mr Bastian isn’t unloading the minifilter hook or it’s the PsSetLoadImageNotifyRoutine catching the LoadLibrary call but that didn’t really make sense.

Checking the system for any hooks and routines installed returned nothing, so how is he still blocking the LoadLibrary call even after the BEDaisy driver is unloaded and BEClient.dll gone from the game’s module list.

So let me explain whats going on here:

He is overwriting one of NTDLLs core structured used by the Windows Loader:

ntdll!LdrSystemDllInitBlock

If you compare the original loaded bytes to the ones that are present in any game BattlEye runs on you will notice that there is an line patch present.

Original:

50 00 00 00 00 00 00 00

Modified/Patched:

50 00 00 00 00 00 E7 F9

This stops any DLL if it has runtime checks enabled (CRT) and/or manifest resource causing an Access is Denied Error.

Restoring these patched bytes will fix the issue.