A DMA cheat requires a hardware change (and a second device). That is a much higher barrier than a download plus reboot.
> you can achieve the same with user mode anticheats
A user mode anti cheat is immediately defeated by a kernel mode cheat, and cheaters have already moved past this in practice.
A user mode anti cheat (on windows) with admin privileges has pretty much full system access anyway, so presumably if you have a problem with kernel AC you also have a problem with user mode.
Lastly, cheating is an arms race. While in theory, the cheaters will always win, the only thing that actually matters is what the cheaters are doing in practice. Kernel mode is default even for free cheats you download, so the defaults have to cover that.
this is a common misconception, just because you're in kernel-mode doesn't mean you are immediately undetected and things are not as easy people initinally think.
First, point of ingress: registry, file caches, dns, vulnerable driver logs.
Detection: usermode exposes a lot of kernel internals: raw access to window and process handles, 'undocumented' syscalls, win32, user32, kiucd, apcs.
Loss of functionality: no hooks, limited point of ingress, hardened obfuscation, encrypted pages, tamper protection.
I could go on, but generally "lol go kernelmode" is sometimes way more difficult than just hiding yourself among the legitimate functionality of 3rd party applications.
This is everything used by anticheats today, from usermode. The kernel module is more often than not used for integrity checks, vm detection and walking physical memory.
It's too bad we have to play this semantics game of "most vs all" every. Single. Time. On. This Damn Site.
So let me summarize the above thread:
Yes, there will always be workarounds for ANY level of anti-cheat.
Yes, kernel-mode anti-cheat detects a higher number of cheats in practice, and that superiority seems durable going forward.
There, I think we can all agree on those. No need to reiterate what has already been posted.
I think it misses the fact that kernel anticheats generally do not reduce overall cheating compared to a good user-mode anticheat + good obfuscation and binary protection + strong report system and behavior analysis. If you add a kernel-mode anticheat to that I'd estimate that it helps only around 5% more while being way more invasive and causing widespread issues (as the original blog describes).
source: observation of games implying stronger anti-cheat measures over time and customer count staying exactly the same or growing. league of legends is a prime example, although it did create a crater for awhile. this all comes from people who actively sell cheats.
Sorry, what's wild about it? It's a pretty standard observation that defense in depth beats "here's a silver bullet to solve X". Is there something about gaming (or preventing cheating in gaming) that makes that not true?
What makes you think that I think kernel AC is a silver bullet? I’ve said in pretty much every comment here that cheating is an arms race and there’s no silver bullet.
Taking the defence in depth argument - kernel AC is another layer that helps and makes it more difficult for the cheaters. But some defences are more crucial than others - you don’t use MD5 anymore for security because it’s just broken. IMO, the same can be said about user mode anti cheat.
An anecdote of one game isn’t proof that they don’t help - you’re not comparing it against a game that kept user mode AC to see what the impact was there. The fact that vanguard “cratered” the cheats for a while shows it’s effective, right? The actual goal isn’t 0 cheats (that’s impossible), it’s keep pushing back the cheaters.
at the end of the way it was temporary and cheating is now stealthier, better and pushed the global community to innovate causing problems for other games that now have to deal with highly sophisticated cheats.
replies were only for this thread, could reply to everything else /shrug
I'm kind of lazy, but I did click around a bit through the thread to try to find your source. I couldn't find it. Can you copy-paste the relevant data here? (I.E. where you get this "5%" figure, even if it's just estimated)
observation of games implying stronger anti-cheat measures over time and customer count staying exactly the same or growing. league of legends is a prime example, although it did create a crater for awhile. this all comes from people who actively sell cheats.
nothing I can give solid foundations for so you'll just have to take my word for it.
Based on those observations, I'm not convinced of your conclusions. There are a lot of unaccounted-for variables (such as game popularity, prize pools, government effecacy in cracking down on black markets, etc.). If someone does this same analysis, and accounts for those other variables in some way, and includes a lot more than one game in the dataset, I might be convinced that there is some evidence that kernel-mode anti-cheat isn't effective, but then, we need to establish that it isn't simply a deficiency in the implementations...
> you can achieve the same with user mode anticheats
A user mode anti cheat is immediately defeated by a kernel mode cheat, and cheaters have already moved past this in practice.
A user mode anti cheat (on windows) with admin privileges has pretty much full system access anyway, so presumably if you have a problem with kernel AC you also have a problem with user mode.
Lastly, cheating is an arms race. While in theory, the cheaters will always win, the only thing that actually matters is what the cheaters are doing in practice. Kernel mode is default even for free cheats you download, so the defaults have to cover that.