Comment by himata4113

15 hours ago

You can achieve the same with usermode anticheats, once you have bare minimum obfuscations the level of entry is roughly the same as kernel mode anticheats in terms of price. Cheats cost more than $100 a month (rest are scams or don't put any effort into being undetected).

8 comments

himata4113

Reply
maccard  14 hours ago

A DMA cheat requires a hardware change (and a second device). That is a much higher barrier than a download plus reboot.

> you can achieve the same with user mode anticheats

A user mode anti cheat is immediately defeated by a kernel mode cheat, and cheaters have already moved past this in practice.

A user mode anti cheat (on windows) with admin privileges has pretty much full system access anyway, so presumably if you have a problem with kernel AC you also have a problem with user mode.

Lastly, cheating is an arms race. While in theory, the cheaters will always win, the only thing that actually matters is what the cheaters are doing in practice. Kernel mode is default even for free cheats you download, so the defaults have to cover that.

  • himata4113  13 hours ago

    this is a common misconception, just because you're in kernel-mode doesn't mean you are immediately undetected and things are not as easy people initinally think.

    First, point of ingress: registry, file caches, dns, vulnerable driver logs.

    Memory probe detection: workingsets, page guards, non trivial obfuscation, atoms, fibers.

    Detection: usermode exposes a lot of kernel internals: raw access to window and process handles, 'undocumented' syscalls, win32, user32, kiucd, apcs.

    Loss of functionality: no hooks, limited point of ingress, hardened obfuscation, encrypted pages, tamper protection.

    I could go on, but generally "lol go kernelmode" is sometimes way more difficult than just hiding yourself among the legitimate functionality of 3rd party applications.

    This is everything used by anticheats today, from usermode. The kernel module is more often than not used for integrity checks, vm detection and walking physical memory.

    • phendrenad2  9 hours ago

      It's too bad we have to play this semantics game of "most vs all" every. Single. Time. On. This Damn Site.

      So let me summarize the above thread:

      Yes, there will always be workarounds for ANY level of anti-cheat. Yes, kernel-mode anti-cheat detects a higher number of cheats in practice, and that superiority seems durable going forward.

      There, I think we can all agree on those. No need to reiterate what has already been posted.

      5 replies →