SECRET CLUB

Why anti-cheat software utilize kernel drivers


You can contact me on twitter if you have any questions

Disclaimer

Many of us in the secret club work as independent or full time security consultants for many different companies, including anti-cheat companies, which implicates Riot Games. This does not mean I am affiliated with Riot Games, they have no control over what I publish and I do not work for them. I am disclosing this because I woke up to some minor harassment, after someone on Reddit posted my personal linked-in, which explicitely states that I have participated in their bug bounty program. Participating in a bug bounty program does not make me an employee.

Vanguard

Recently, there have been numerous threads on reddit concerning the release of Valorant’s anticheat dubbed “Vanguard”. The main skepticism is the fact that it is potentionally privacy-invasive, which is a completely valid theory. I am not undermining the privacy complications that follows running third-party applications on your personal machine, but a lot of the information regarding the possibility of surveillance in user mode versus kernel mode is flawed. There were few posters arguing against the “kernel = bad” hivemind, but the majority of gamers does not know what this means from a security aspect.

Unlike most of the people discussing the use of kernel mode in anti-cheats, I have years of experience in game-hacking (on both sides). My employer is completely unrelated to video games, and therefore I would say I am able to come with an unbiased approach to most of these statements. Listening to anonymous “internet experts” is always a bad idea, but anyone with programming experience is more than welcome to tear apart my previous research publications on this website or on my GitHub.

In the following paragraphs, I’ve cherry-picked some statements that many users on Reddit were broadcasting, and i will discuss them to the best of my ability:

Point 1 (What is kernel?)

Vanguard is running on “Ring 0” (Explanation about the “rings” on-demand), the essential system-level (“kernel-mode driver”) of your computer, which means without some serious knowledge you CAN’T even stop it from running (except uninstall), as it has more power over your computer than your admin-user. You’d have to assign SYSTEM-permissions to your user which is something you just don’t do for security-reasons. And if it is not good for you to have maximum control over your computer, why should RIOT be assigned this?

Let’s start from the beginning: protection rings. This security abstraction layer is implemented to isolate system critical data on your machine. Essentially, this is used to isolate “untrusted” applications (third-party applications) from the core parts of your machine (the kernel). What does this mean in practice? Let’s say you execute your favorite browser: boongabrowser.exe. What does this application have access to when executed as a usermode (ring 3) process? Well, if we don’t treat UAC as a security measure (like Microsoft), then boongabrowser.exe still has access to practically anything on your machine. It is able to manipulate almost all parts of the file system, it is able to read and manipulate the memory of any other “normal” process that you are running, so what exactly is the purpose of running your code in the kernel context (ring 0)?

The main difference between the different levels of privilege is the accessability of memory and instructions. User mode (ring 3) applications are isolated from kernel mode (ring 0) appliations, because kernel-mode determines how user-mode behaves, and usermode-mode applications therefore cannot access kernel memory. In the world of computers, the closer you are to hardware, the more control you have. Thus a lower privilege means greater control. This is of course grossly oversimplified, but for the context of this article, it is sufficient.

Why does this pose an issue in game-hacking? Well.. As we all know, game-hackers go to extreme lengths to achieve their common goal: winning. This is the sad reality of the cat-and-mouse game of game-hacking, as cheaters will not abide by any rules or morals.

What does this mean in practice? Game-hackers do not care about running kernel components or even hypervisors, and this is where the conflict begins. If you make your anti-cheat solely usermode, you have no way of guaranteeing the integrity of the kernel. Game-hackers could’ve already loaded a vulnerable driver, gained kernel-level access and embedded themselves into the kernel before the game application is even loaded! There would literally be no way for a usermode program to detect cheat software like this, and us game-hackers have been abusing this fact for years.

Now that you know the seperation of access, let’s go back to the quote and talk about it with your newly-learned knowledge in mind:

Vanguard is running on “Ring 0” (Explanation about the “rings” on-demand), the essential system-level (“kernel-mode driver”) of your computer, which means without some serious knowledge you CAN’T even stop it from running (except uninstall) as it has more power over your computer than your admin-user.

Most kernel-mode drivers are able to be unloaded just fine, the reason Vanguard is especially hard to unload will be explained in “Point 2”.

You’d have to assign SYSTEM-permissions to your user which is something you just don’t do for security-reasons.

This is wrong. The SYSTEM user on Windows is also in usermode, and is merely a different session with few limitations used to schedule services more easily. This is not a security measure, and stating that you need SYSTEM-permissions on your user(??) to unload a kernel-mode driver is wrong. Unloading kernel drivers is as easy as stopping the registered service for them, which you can do by using the command sc stop <driver>. This of course relies on the fact that the driver has set its unload routine in kernel.

If it is not good for you to have maximum control over your computer, why should RIOT be assigned this?

Kernel anti-cheats needs this kind of permission for multiple things:

This is exactly the same reason why every single anti-virus application in existence utilizes kernel components. Almost all commercial anti-cheat solutions, this includes BattlEye and Easy Anti Cheat, utilize kernel components to ensure the integrity of the user experience, but do not receive the same backlash as Vanguard.

Point 2 (Why load on boot?)

It is always running. It starts when you boot up your computer and never stops. It starts on the same permission-level as your anti-virus program, which is one of the very few applications that I’d grant this unlimited power over my computer.

There is a very good reason to launching applications that need to ensure system integrity at boot-time.

Let’s say you receive a package in the mail, how do you know no one has tampered with it during transit? You don’t. How would you theoretically prevent this? You would monitor the contents of the package as soon as it has been produced to the end of its destination.

The sad reality is that integrity checks are way harder than most people think. Most of the time the application in question does not have any idea of what the contents of the package is meant to be, so they have to make educated guesses on what they definitely should not be, but this will always be able to be bypassed. I’ve released numerous articles on this subject, including write-ups of some of the most widespread, commercial anti-cheats, and I can confindently say that this is a reliable way to properly ensure integrity checks.

I know that this goes against the current opinion that having a driver load on boot is bad, but if you want to prevent widespread hacking, this is exactly how you do it.

Point 3 (Scanning external hardware)

Valorant does scan your external devices because streamers have been kicked for plugging in their phones.

This is most likely a bug in Vanguard that scans the usage of serial ports, and is not worth of further discussion. Vanguard is not trying to access your secret snapchat pictures, but it most likely monitors hardware ports for suspected DMA-devices (Direct Memory Access). The usage of projects such as PCIe Screamer to directly access the memory of the game from external hardware.

Point 4 (What if Vanguard is hacked?)

But even with RIOTs most noble intentions: No system is un-hackable. With easily 1 Million installs until the end of this year, hacking RIOTs Vanguard-Control Servers would basically grant hackers full access to a 1-Million Client large bot-net. Not even speaking about all the data they’d gather. Remember: Maximum access. This means it could go into your Google Chrome and ask it for all your saved passwords. Or just sit there quietly, reading them out while you type them. Including your online-banking, etc. Sure, this could happen to any anti-virus company. But every program on that permission-level raises the risk. And this raise is rather unnecessary.

All third-party software is a threat to supply-chain attacks like this. Let’s go over this one statement at a time:

Remember: Maximum access. This means it could go into your Google Chrome and ask it for all your saved passwords. Or just sit there quietly, reading them out while you type them. Including your online-banking, etc.

You do not need a boot-loading kernel driver to dump Google Chrome passwords, grab banking details or log your keystrokes, so this could be said about any usermode application you install on your computer. There’s a good reason why almost all spyware is running solely in usermode: it simply is not necessary to be kernel for any of this surveillance.

Sure, this could happen to any anti-virus company. But every program on that permission-level raises the risk. And this raise is rather unnecessary.

Right, it is also possible that someone hacks Microsoft, or literally any other company that runs code on your computer. This is very odd criticism and hard to refute as it is solely hypothetical. The last sentence does bother me, though. As I’ve demonstrated in this article, this raise is definitely not uncalled for.

Conclusion

I hope this clears up some of the confusion regarding the technical aspects of kernel anti-cheats. This does of course not undermine the privacy concerns for any third-party application you install on your machine, but I hope it sheds some light on the reasoning behind the current design of the anti-cheat.