Kernel Level Cheats and Anti-Cheat: A Gaming Arms Race

You just got home from work and want to let off some steam in your favorite online FPS. The game proudly touts its cutting-edge kernel-level anti-cheat. Nice. After logging on and playing a few matches you’re feeling great, relaxed and locked in. You load into the next match, and as soon as it starts you get taken out by a player you swear had no way of knowing where you were. Wait a minute, you think, how is this even possible?

If you’ve been there, you’re not alone. As a passionate gamer (especially in competitive titles like Call of Duty: Warzone, Fortnite, and PUBG:Battlegrounds), nothing kills the mood faster than blatant cheating. In this post, I’m breaking down the inner workings of kernel-level cheats, how anti-cheat systems try to stop them, and how the industry can start thinking more like security pros to stay ahead of the curve.

Cheating 101: 

Using cheats like wallhacks, aimbots, and automated looting scripts to gain an unfair edge in games is against the rules. These tools ruin the game's core experience and honestly, they make other players lose trust in the system.

This negative experience leads to frustrated players, and for game developers, publishers and studios, it means financial losses due to:

• Loss of player engagement.

• Questionable Esports player integrity.

• Skyrocketing support costs, due to manual reviewing of cheating reports.

• And in some cases, microtransactions are bypassed entirely, eroding company revenue.

A Look At The Most Common Cheats: 

• ESP (Extrasensory Perception): This shows opponent locations, health, names, and more. This information can even be shown through walls, by reading memory or controlling rendering data.

• Aimbot: This cheat allows an automatic lock onto opponents with pixel-perfect precision. In some versions, it’s even "humanized" to make the cheating less obvious.

Cheating in games ruins the experience, rigging matches against honest players. Even sophisticated games struggle with them. For example, PUBG: Battleground's “fog of war” anti-ESP feature attempts to limit what’s rendered when enemies are out of line-of-sight, but this technique isn’t 100% accurate and can be circumvented.

Anti-Cheat Basics: User-Mode vs. Kernel-Mode

There are two main types of anti-cheat systems:

• User-mode anti-cheat runs like any other program on your computer. This makes it easy to create and add to games, which is great. But there is a downside. It has limited access, so it can't really dig deep and monitor everything in an operating system. This makes it easier for cheaters to get around it, since they can use the same tricks they use on regular software: evasion by operating at a lower level of the OS, exploitation of other applications, and using the window of opportunity against updates.

• Kernel-mode anti-cheat, on the other hand, operates at the most privileged level of your operating system (ring 0). These drivers can monitor system-wide activity, scan memory, and block unauthorized processes.

Wait, what’s the Kernel?

Games like Valorant (with Riot’s Vanguard) and Call of Duty (with RICOCHET) rely on kernel drivers. Some are persistent and start at system boot, like Vanguard; others activate only when the game launches, like RICOCHET.

The kernel is the central component of an operating system (OS). It provides functionality such as device and memory management, access to hardware resources such as I/O devices (i.e. mouse, keyboard, gaming headset, monitor), and more. It has complete control over the entire OS, operating at the most privileged level. Now, this can lead to undesirable results if a vulnerable or malicious program running at kernel level, runs on a computer. One of the least detrimental consequences could be that the entire system crashes due to the crash of the kernel driver. The most serious aftereffect is the compromise of the entire system or exploitation due to a malicious or vulnerable kernel driver. There is also mistrust in kernel anti-cheat by the gaming community due to the invasiveness of these programs: What else could these programs be doing on your computer?

Kernel Level Cheats:

Despite robust anti-cheat efforts, there has been an evolution in the development of cheats. Here are some of the techniques used by devs to bypass detection:

• Privilege Escalation: Exploiting vulnerable drivers to gain kernel-level access (admin/root).

• Process Injection: Injecting cheat code into legitimate processes to mask its behavior.

• Memory Manipulation: Reading or writing to game memory to extract data or influence gameplay.

• Bring Your Own Vulnerable Driver (BYOVD): Loading a vulnerable but benign signed driver, to avoid getting flagged as malicious.

• Direct Memory Access Attacks (DMA): Using external hardware (via PCIe), usually a second PC, to access memory and draw overlays, completely invisible to the OS of the gaming PC.

• Anti-Cheat Exploitation: Reverse engineering anti-cheat drivers to uncover weaknesses or develop detection-evasion strategies.

Who makes these cheats?

Cheat development is a multi-million dollar industry run by skilled cybercriminals, who are essentially spreading rootkits and malware. They are already breaking the law by violating a game’s terms of service by distributing malicious software to manipulate the game. Some of them have even been sued by game publishers and lost. It should be noted that the knowledge possessed by cheat devs are the same skills leveraged by ethical hackers to protect software and systems from compromise. And that’s where anti-cheat developers need to shift their mindset.

How to Win this Boss Battle:

Game developers must stop treating anti-cheat like a side feature and start approaching it as security engineering.

That means:

• Understanding attacker mindset and tradecraft.

• Performing threat modeling and secure architecture reviews of their games as well the anti-cheat.

• Employing application behavior-based detection, not just signature matching.

• Instrumenting telemetry and anomaly detection at runtime.

• Red teaming anti-cheat systems regularly.

• Maintaining a secure, robust and reliable update system patching bugs in a timely and effective manner.

• Utilizing a combination of hardware and operating systems security features in the game itself.

Calling All Game Studios: It’s time to Level Up!

At Boss Level Security, we’re not just cybersecurity pros, we’re passionate gamers too. We understand how frustrating cheats are because we play the same games. Our team includes former exploit devs, reverse engineers, and enterprise & product security architects who know what it takes to stop sophisticated threats.

If you're a game developer or publisher looking to strengthen your anti-cheat, we can help you win. Contact us to take your anti-cheat straight to the boss level!