[dylz]

I'm going to point out that if you want to go down this route, it is insufficient to just check that the base drivers are untampered with and signed by Microsoft or whatever vendor still.

You now maintain a list of potentially vulnerable drivers that can be used as a jumping off point (such as virtually every motherboard RGB or fan control system), and ban users that have these or hard-disable them at boot. There are some games that have caused machines to overheat by disabling cheat-jumpoffable fan controllers.

On top of that, you effectively have to maintain a whitelist of acceptable drivers, because cheat vendors are registering limited companies by the thousands (only $20 in the UK), getting an EV/codesigning cert, and signing their own drivers. Higher end cheats cost enough to offset this, and there might be less than 5-6 people using a particular certificate. Some of the people behind these also release vaguely-useful legal tools signed with the same certificates to get a large install base for them so they don't stick out.

That being said, IMO as a player, this is invasive as hell, and you should not be crawling through my flash drives, identifying my mouse, killing LogitechMacroSoftware.exe, etc. I'd rather you just collect snap/targetting/click timings server-side and run anomaly analysis on those rather than digging an asshole into my computer.

Also, now I have 5 different "kernel anticheats" running 24/7 simultaneously, half of them are horrifically written and known-insecure, and the other half need to figure out how to not explode spectacularly when the broken half tries to probe and kill it.

Korean MMOs are particularly bad for this and when forcefully uninstalled might permanently destroy disk access, make Windows non-genuine and deactivate it, and send all their data over plaintext (no TLS) with a bizarre, homegrown "encryption" method that is trivially breakable to a bare IP somewhere.

With KMMOs as an example (many of these reward you for staying logged in, have daily rewards, and similar; the game itself is fairly low resource when minimised), GameGuard and HackShield and XIGNCODE constantly have slap-fights where they bluescreen or flop over or die if you try to run multiple of them simultaneously and they try probing and killing each others' services for trying to tamper with themselves. It's like that ridiculous "what happens if three programs all try to demand Always On Top for their window", except give all of them heavy weaponry. These also have severe NIH syndrome for things like homemade shitty crypto and plaintext everything.

[invokestatic]

Before I “switched sides” to anti-cheat, I used to write and sell cheat software for CS:GO. I had a registered company and purchased an EV code signing certificate just as your post suggests, even getting my cheat drivers signed by Microsoft. I am very familiar with the process given than I’ve seen both sides now.

While other anti-cheats maintain white lists or blacklists of vulnerable drivers, I’ve chosen a different route that doesn’t have the same pitfalls you suggest. Our anti-cheat also doesn’t run 24/7, only when the game is running.

[dylz]

I'm guessing this is a mix of attestation and inspecting what they actually do instead of just blindly checking the certificate and that the signature is verified? I'm curious how well executed that works when it comes to less well behaved anticheats (like Riot's Vanguard generally stays hands off, but GameGuard will immediately heartbeat a "ban me" and intentionally cause a bluescreen to cause you to "lose any data collected by your debugger" when it notices it's being looked at).

This type of BS is super common in Asian countries/published MMOs and a bit less acceptable in the west (you still have EAC and battleye, but at least they make an attempt to use TLS?)

Another insane example: xigncode has long since advertised a feature that the game developers can remote control into your PC like VNC. I don't know whether any developer has chosen to actually enable it, but the fact that they push it as a feature is some serious clown-egg-face.

[invokestatic]

I’m not going to comment on the specifics of what we do besides what I’ve already said. I will say that I’m really pushing to change the perception that all anti-cheats are bad and are user-hostile. I’m trying to build a product that shows that anti-cheats can actually respect user privacy and provide a positive player experience. And I’m trying to do it by better engineering.

Vanguard I believe would intentionally bluescreen you if it detected you’ve disabled PatchGuard. They had very good reasoning to do so, but I wouldn’t do something like that since I believe it’s user-hostile. Battleye I believe actually doesn’t use TLS last time I checked, using some sort of home brewed XOR cipher which is a bit scary. And of course remoting into computers is unacceptable under any circumstance.

[dylz]

I appreciate that you are trying to do this with respect and hope you succeed.

I've done both sides (largely MMO-stuff as a kid), and for me, I'm done dealing with all this invasive garbage, and just spin up a fresh EC2 GPU instance when I want to play something, and simply don't play the games that choose to disrespect and abuse players to the point of not even allowing GPU passthrough (I can somewhat understand banning emulated GPUs; have dealt with people farming referral accounts a hundred at a time each queuing for games at <5 FPS).

[hnick]

Without details, could you easily bypass your own anti-cheat with your past experience?