{"id":323,"date":"2026-03-03T05:52:16","date_gmt":"2026-03-03T05:52:16","guid":{"rendered":"https:\/\/haco.club\/?p=323"},"modified":"2026-03-03T05:52:16","modified_gmt":"2026-03-03T05:52:16","slug":"black-hat-usa-2025-watching-the-watchers-exploring-and-testing-defenses-of-anti-cheat-systems","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=323","title":{"rendered":"Black Hat USA 2025 | Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=lAW2mAl96KI\" target=\"_blank\" rel=\"noreferrer noopener\">Black Hat USA 2025 | Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems<\/a><\/p>\n\n\n\n<p><strong>Introduction to the Anti-Cheat Ecosystem<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The World of Game Cheats:<\/strong> The speakers explore the fast-paced, high-stakes battleground between cheat developers (attackers) and anti-cheat systems (defenders) in modern competitive shooter games [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=22\" target=\"_blank\" rel=\"noreferrer noopener\">00:22<\/a>].<\/li>\n\n\n\n<li><strong>The Cheat Economy:<\/strong> Cheating is a massive industry. Cheats are often sold via subscription models by well-run, sometimes legally registered companies, with some cheats costing upwards of $200 a month [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=310\" target=\"_blank\" rel=\"noreferrer noopener\">05:10<\/a>]. Because it is so lucrative, the attack-defense cycle is incredibly rapid.<\/li>\n\n\n\n<li><strong>The Shift to the Kernel:<\/strong> Historically, cheats operated in user mode. As anti-cheats adapted, the battleground shifted, with both cheats and anti-cheats now operating at the highly privileged Windows kernel level [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=463\" target=\"_blank\" rel=\"noreferrer noopener\">07:43<\/a>].<\/li>\n<\/ul>\n\n\n\n<p><strong>Fascinating Anti-Cheat Defenses<\/strong><\/p>\n\n\n\n<p>The researchers found that anti-cheat systems deploy incredibly complex and advanced defense mechanisms, often outpacing traditional cybersecurity tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mitigating Vulnerable Drivers (BYOVD):<\/strong> Attackers often use the &#8220;Bring Your Own Vulnerable Driver&#8221; technique to sneak malicious code into the kernel. The researchers found that anti-cheats flag and block these vulnerable drivers months\u2014or even years\u2014before traditional Enterprise Detection and Response (EDR) or antivirus software catches on [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=838\" target=\"_blank\" rel=\"noreferrer noopener\">13:58<\/a>].<\/li>\n\n\n\n<li><strong>Catching Malicious Execution:<\/strong> Systems like Valorant&#8217;s Vanguard intercept Windows page fault handlers. They place &#8220;No-Execute&#8221; nets on suspect memory pools and briefly bypass Windows PatchGuard to catch and analyze any malicious code trying to run [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=1219\" target=\"_blank\" rel=\"noreferrer noopener\">20:19<\/a>].<\/li>\n\n\n\n<li><strong>Software Diversification:<\/strong> To stop cheats that rely on specific memory offsets, some anti-cheats (like Rainbow Six Siege&#8217;s QB system) force different groups of players to download entirely different builds of the game. This scrambles the offsets, encryption keys, and obfuscation, forcing cheat developers to create and maintain multiple unique cheats [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=1466\" target=\"_blank\" rel=\"noreferrer noopener\">24:26<\/a>].<\/li>\n\n\n\n<li><strong>Combating Rogue Hardware:<\/strong> Attackers sometimes use physical Direct Memory Access (DMA) cards to bypass the kernel entirely. Anti-cheats combat this by interrogating the hardware. If a malicious DMA card tries to disguise itself as a standard network adapter, the anti-cheat will actually try to send network data through it. If it fails to act like a real network card, it gets disabled [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=1780\" target=\"_blank\" rel=\"noreferrer noopener\">29:40<\/a>].<\/li>\n\n\n\n<li><strong>Hiding Memory:<\/strong> Vanguard acts as an &#8220;invisibility cloak&#8221; for memory by intercepting context switches. It shifts the game to a secret, cloned address space to hide critical variables (like enemy locations) from any process trying to snoop on the game&#8217;s memory [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=1938\" target=\"_blank\" rel=\"noreferrer noopener\">32:18<\/a>].<\/li>\n<\/ul>\n\n\n\n<p><strong>Impact and The Future<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Are they effective?:<\/strong> Yes. Data shows that games with strong, highly intrusive kernel-level anti-cheats (like Valorant) successfully reduce the uptime of cheats to around 50% and force the market price of cheats to skyrocket [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=2117\" target=\"_blank\" rel=\"noreferrer noopener\">35:17<\/a>].<\/li>\n\n\n\n<li><strong>The Next Battleground:<\/strong> While the current war is being waged in the Windows kernel, the speakers predict that both cheats and anti-cheats will inevitably escalate into the hypervisor level next [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=2257\" target=\"_blank\" rel=\"noreferrer noopener\">37:37<\/a>].<\/li>\n\n\n\n<li><strong>Final Takeaway:<\/strong> Your computer is arguably never as secure from malware as it is when you are running a game with a strong anti-cheat active, and traditional software developers can learn a lot from the video game industry&#8217;s security practices [<a href=\"http:\/\/www.youtube.com\/watch?v=lAW2mAl96KI&amp;t=2389\" target=\"_blank\" rel=\"noreferrer noopener\">39:49<\/a>].<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Black Hat USA 2025 | Watching the Watchers: Exploring and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[54,5],"class_list":["post-323","post","type-post","status-publish","format-standard","hentry","category-black-hat","tag-anti-cheat","tag-security"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=323"}],"version-history":[{"count":1,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/323\/revisions"}],"predecessor-version":[{"id":324,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/323\/revisions\/324"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}