Black Hat USA 2025 | Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems

Introduction to the Anti-Cheat Ecosystem

The World of Game Cheats: The speakers explore the fast-paced, high-stakes battleground between cheat developers (attackers) and anti-cheat systems (defenders) in modern competitive shooter games [00:22].
The Cheat Economy: Cheating is a massive industry. Cheats are often sold via subscription models by well-run, sometimes legally registered companies, with some cheats costing upwards of $200 a month [05:10]. Because it is so lucrative, the attack-defense cycle is incredibly rapid.
The Shift to the Kernel: Historically, cheats operated in user mode. As anti-cheats adapted, the battleground shifted, with both cheats and anti-cheats now operating at the highly privileged Windows kernel level [07:43].

Fascinating Anti-Cheat Defenses

The researchers found that anti-cheat systems deploy incredibly complex and advanced defense mechanisms, often outpacing traditional cybersecurity tools:

Mitigating Vulnerable Drivers (BYOVD): Attackers often use the “Bring Your Own Vulnerable Driver” technique to sneak malicious code into the kernel. The researchers found that anti-cheats flag and block these vulnerable drivers months—or even years—before traditional Enterprise Detection and Response (EDR) or antivirus software catches on [13:58].
Catching Malicious Execution: Systems like Valorant’s Vanguard intercept Windows page fault handlers. They place “No-Execute” nets on suspect memory pools and briefly bypass Windows PatchGuard to catch and analyze any malicious code trying to run [20:19].
Software Diversification: To stop cheats that rely on specific memory offsets, some anti-cheats (like Rainbow Six Siege’s QB system) force different groups of players to download entirely different builds of the game. This scrambles the offsets, encryption keys, and obfuscation, forcing cheat developers to create and maintain multiple unique cheats [24:26].
Combating Rogue Hardware: Attackers sometimes use physical Direct Memory Access (DMA) cards to bypass the kernel entirely. Anti-cheats combat this by interrogating the hardware. If a malicious DMA card tries to disguise itself as a standard network adapter, the anti-cheat will actually try to send network data through it. If it fails to act like a real network card, it gets disabled [29:40].
Hiding Memory: Vanguard acts as an “invisibility cloak” for memory by intercepting context switches. It shifts the game to a secret, cloned address space to hide critical variables (like enemy locations) from any process trying to snoop on the game’s memory [32:18].

Impact and The Future

Are they effective?: Yes. Data shows that games with strong, highly intrusive kernel-level anti-cheats (like Valorant) successfully reduce the uptime of cheats to around 50% and force the market price of cheats to skyrocket [35:17].
The Next Battleground: While the current war is being waged in the Windows kernel, the speakers predict that both cheats and anti-cheats will inevitably escalate into the hypervisor level next [37:37].
Final Takeaway: Your computer is arguably never as secure from malware as it is when you are running a game with a strong anti-cheat active, and traditional software developers can learn a lot from the video game industry’s security practices [39:49].

Post Views: 3

Leave a Reply Cancel reply

Bypassing ARM’s Memory Tagging Extension with a Side-Channel Attack

The Devil is in the (Micro-) Architectures: Uncovering New Side-Channel and Bit-Flip Attack Surfaces

The Hack@DAC Story: Learnings from Organizing the World’s Largest Hardware Hacking Competition

Uncovering Supply Chain Attack with Code Genome Framework