Bypassing newest BattlEye with Windows Kernel Explorer

**xZaroxh** · 09-17-2019

Hello,

I recently found out that you can bypass/deactivate BattlEye AntiCheat while on a protected server with a free legit tool called Windows Kernel Explorer.
Bypassing BattlEye Protection allows you to use Cheat Engine and similar programs (and probably some hacks) that inject code or change process memory in kernel mode.

Tutorial:

Step 1: Downloading Windows Kernel Explorer
Since I cannot post links on here yet, you have to
Google Windows Kernel Explorer.
Click on first link (should be ******)
Go to 'binaries' folder in repository
Download WKE64.exe for 64-Bit System or WKE32.exe for 32-Bit-System
Go to 'data' folder in repository
Download 'WindowsKernelExplorer.dat'
Move both files to new same folder on your system

Step 2: Configuring & Running WKE
Run 'WKE64.exe' or 'WKE32.exe' as admin
It will create new folder called WKE64/32
Close all WKE windows and/or browser windows that it has opened
Move 'WindowsKernelExplorer.dat' in the new created folder WKE64/32
Go to folder WKE64/32 and run 'WindowsKernelExplorer.exe' as admin
It will tell you that current windows version is unsupported and it needs to download symbols to add support
Just click on 'yes' and once finished loading 'ok'
Please note that some AVs block the program from loading its kernel driver ("Unable to load driver"), if that's the case deactivate your AV.
The program is now ready to use.

Step 3: Bypassing / Deactivating BE Protection
BattlEye uses kernel mode driver to watch Game process memory and starting/activity of (cheat-)programs

First we need to suspend the BE kernel mode driver thread.
Click button on top called Process
Right-Click on System Process with PID 4 (should be first in list)
Click on 'View Thread...'
Click on Tab 'Module' (twice if needed) to sort by Module Path
There should be something like 'C:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys' first in list.
Right-Click it and click on 'Suspend Thread'

The BattlEye Kernel Driver thread is now suspended and we need to remove some of BE's kernel callbacks.

Close the 'View Thread'-Window
Click button on top called Kernel and select Callback & Notification
Click on Tab 'Module' (twice if needed) to sort by Module Path
There should be 5 entries on top with Module Path like 'C:\Program Files (x86)\Common Files\BattlEye\BEDaisy.sys' (like above)
Select (Ctrl-Click) ONLY!!! the entries with type CreateProcess, CreateThread & LoadImage (should be 3 in total)
Right-Click on them and click 'Remove'.
There should be two entries for BE left that you should leave there, or BE will detect "Corrupted Memory"

That's it. Now BattlEye is unable to scan DayZ game memory, running and starting processes, and drivers on your system.
You can now use Cheat Engine with all CE Kernel routines (found under Settings->Extra) enabled (works only that way, usermode BE protection is still active).

Have Fun, Survivorz