[xyst]

This is why I have a separate machine for "gaming" and "work"

Some game companies (riot games) even install their anti-cheat software so that is loads in the ring 0 space. Even with their best efforts, cheaters will still prosper.

Might even go a step further and firewall my gaming machine off from the rest of my network.

[invokestatic]

No, anti-cheats in ring0 haven't eliminated cheaters, but that was never the point. The point is to make it more difficult to cheat. And they have succeeded in that. Check any cheat forum like unknowncheats. You'll see that most hackers now have to chain multiple (complex) exploits together to get their cheats working, only to get it patched by the anti-cheats a few days/weeks later. This is way more difficult and prone to detection than ReadProcessMemory was before anti-cheats went ring0.

[mhh__]

Surely the end state is cheats that even ring0 can't see i.e. read the display directly, act through the mouse.

Maybe we should we run the entire OS in the games hypervisor?

[zinclozenge]

I was actually thinking that you should be able to build a bot for MMOs and other kind of games that require farming with a raspberry pi or arduino acting like a mouse with a camera for image recognition. Don't know how feasible that is, but that would be undetectable by anti-cheat software.

[EamonnMR]

Not really, some anti-cheat analysis is server-side and designed to catch people acting bot-like.

[chaoz_]

Yep. Not to mention that MMO game bots aim at automated resource farming and owner still needs to somehow sell it.

Some of the MMO games I've played used this gold transfer "graph" analysis that worked pretty well with really low False Positive Rate.

[Natsu]

Yeah, even if someone made a physical robot that did everything, they'd notice when it did stuff like playing for 1,000 hours without ever taking a break or talking to anyone.

[sp0rk]

Bots have long been designed to account for these types of checks by having scheduled hours and jittered breaks. Private messages and name mentions can alert the bot owner so they can respond manually. I've even seen bots that will pipe private messages to an IRC channel so that any number of restricted people can respond to the messages. It's been a long time since I've worked with game bots so I'm sure they're even more advanced now.

[squeaky-clean]

Just have your bot log off and "sleep" randomly for 4-10 hours every night, and log off for 15 minutes every few hours during the day. If you ever get a private message, have your system play a beep (or ping you on IRC then/Discord nowadays).

As for not talking to anyone, a surprising amount of people play MMOs just like that, so it's not really atypical for a player to never communicate. Runescape even has an account choice, "Ironman Mode", where you have to play the game self-sufficiently, and can't trade with or rely on any other players. You can still chat with other players if you want, but you don't have to.

[matheusmoreira]

With MMOs you can actually reverse engineer the network protocol and build yourself a custom client. Completely avoids any anti-cheating solution since they're not even running.

With mobile games it's ridiculously easy. I actually made daily task farming bots for a couple mobile games I used to play. The hardest part was getting the bot to log into the game. Completely neutralized the habit-forming strategies of these game companies. Ironically the bot was statistically indistinguishable from any sufficiently-addicted player.

[gsich]

Example for Valorant and a Raspberry Pi: https://www.youtube.com/watch?v=d1jz8qbzfIk

No need for a camera when you can just stream the screen.

[tedunangst]

A lot of cheats involve reading in memory game state to see through walls, which your screen grabber won't be able to do.

[charcircuit]

You can use DMA to read memory in an undetectable way.

[walrus01]

It seems that a lot of people forgot about things like sony installing rootkits on peoples' PCs. Now it's accepted for gaming anti cheat software?

[rstat1]

In my mind there's a huge difference between the 2. The sony rootkit was installed in secret, full of security holes, hard to remove, and made by a vendor that appeared to give 0 shits about said security holes.

All of the anti-cheat solutions I've seen that run in kernel mode are none of those things. They make it well known that they're installing, are made by vendors that actively care about the security of their products, and are trivially easy to remove once they're no longer needed.

[fuyu]

Genshin Impact is a recent game that has included a kernel mode anti-cheat. I would be very surprised if the majority of players know that it exists, or understand what it means to have it run in kernel mode.

The Genshin website previously allowed anyone to view the phone number you have linked to your account via the password reset mechanism. Due to common reports of accounts getting stolen (and unable to be recovered), two factor auth has been highly requested, but doesn't seem to be a priority. I'm skeptical that they strongly care about the security of their users.

Even if Genshins anti-cheat is completely secure, as kernel anti-cheat becomes more common it's inevitable that we will get an instance that is full of security holes. Unfortunately as long as the user can't play their favorite game without it, they will happily install it.

[charcircuit]

Even if the security is bad does it even matter? User mode is enough for malware. "Sure an attacker could mine crypto, DoS people, use me as a proxy, keylog me, use my webcam, steal my saved usernames and passwords, but at least they can't upgrade my graphics drivers", said no one ever.

[oxylibrium]

Oh, there's a lot more "fun" stuff you can do in kernel mode. One comedic example is setting the CPU Vcore offset to +2.2V for fun/revenge. I don't know if it will destroy CPUs permanently, but it would be an interesting experiment.

More importantly though, once you're in the kernel, its much easier to hide your presence to all manner of Windows sysadmin tools.

[oxylibrium]

Genshin Impact's anti-cheat is not completely secure: you can use it to read/write umode memory / read kmode memory with kernel privileges: https://github.com/ScHaTTeNLiLiE/libmhyprot

Mirror repo after the original author took the repo down, but still exploitable AFAIK.

[matheusmoreira]

Explanation of the exploit here:

https://github.com/Luohuayu/evil-mhyprot-cli

Not as bad as capcom.sys:

https://mobile.twitter.com/TheWack0lian/status/7793978407622...

The effect is the same though: ring 0 code execution.

[invokestatic]

I’m an anti cheat dev and I think client-side anti cheats make no sense on a typical MMO. Pretty much all cheats for those types of games can be detected server-side. RuneScape is a great example of this.

[philistine]

Hopefully, Microsoft is going to follow in Apple's footsteps and close the access to the kernel for any and all programs. Yes, we will lose a lot, since Apple right now cannot cover all use cases of kernel access through new APIs, but we will gain so much in security and reliability.

I'm of the opinion that easy kernel access for all apps and games is ultimately not putting me in control of my computer.

[rstat1]

Access to kernel mode on Windows is already pretty restricted as it is. As far as I understand, you either have to run your whole machine in a special "Test Mode" or have a specific kind of (expensive) code signing certificate.

But beyond that, I don't see how "more restriction" == "more control for the user"

[ladyanita22]

Are you talking about driver signing?

[pjmlp]

They already kind of did, I only install PC games via the Windows store.

[oxylibrium]

> ...make it well known that they're installing...

Many vendors originally hid the fact until they started receiving community backlash about it. For example, Riot with Vanguard originally hid*[0] that it was running 24/7, and also hid the fact that it blocked drivers, until people noticed and complained about it. Many games, PUBG Lite and Genshin Impact in recent memory, also do not reveal this to the user.

[0]: https://gameriv.com/vanguard-adds-a-system-tray-icon-to-give... *: I'm aware there was a blog post about it, but blog post about it != clear, upfront warning on install about behavior

> ...made by vendors that actively care about the security of their products...

Here's some fun, all involving anti-cheats:

- Using xhunter1.sys (XIGNCODE3) for an LPE: https://x86.re/blog/xigncode3-xhunter1.sys-lpe/ (still used in some MMOs!)

- Using capcom.sys (rootkit shipped with Street Fighter V) to write a rootkit: https://www.fuzzysecurity.com/tutorials/28.html

- Using mhyprot2.sys (from Genshin Impact) to read/write umode memory / read kmode memory with kernel privileges: https://github.com/ScHaTTeNLiLiE/libmhyprot (still exploitable, AFAIK!)

- Using BEDaisy.sys (BattlEye - shipped in Rainbow Six: Siege, Fortnite, etc) for handle elevation: https://back.engineering/21/08/2020/

In addition, you still need to trust the vendor (duh!). Some of them are essentially RATs, like BattlEye - it loads shellcode from the server that runs in BEService as NT/SYSTEM, and they can target code pushes by IP/ingame ID/etc. Reverse engineering the anti-cheat itself is not enough to trust it; it can change its behavior as it sees fit. They can even choose to specifically target you and steal your files, and there's a very high chance you'll never find out about it.

> ...and are trivially easy to remove once they're no longer needed.

Depends on how you define "trivially easy" - for eg. with Riot Vanguard, it installs/uninstalls separately from Valorant so you need to remember that separately. Some other ones, like xhunter*.sys install silently and aren't easy to uninstall at all unless you go delete files in System32. Others like EasyAntiCheat/BattlEye (last I used it, been years since I've touched them) need special uninstaller .exes that are included with the game, but are not registered with Windows or don't run automatically when uninstalling the game.

[linkfee]

disgusting company, disgusting policies. But awesome research! ~nerrix

[pjmlp]

Depends, Windows Store and the respective sandbox is a thing.

[fpgaminer]

This is the way.

Many games package in outright spyware that siphon all kinds of data off your machine including browsing history. Kerbal Space Program was infamous for this (they removed the spyware at some point but I haven't checked recently if it was ever added back in).

[matheusmoreira]

> Many games package in outright spyware that siphon all kinds of data off your machine including browsing history.

Please post details. Were they literally mining user data?

[fpgaminer]

The spyware is called Red Shell and it got packaged with a bunch of popular games. Yes, it mines user data.

[matheusmoreira]

Thanks for the reference.

[Guest19023892]

This is one of the reasons I like gaming on GeForce NOW. I can use my primary laptop, play any game without having to install anything, instantly alt-tab back to the desktop between rounds without any weird bugs or crashes, etc.

[matheusmoreira]

Game companies literally think they have the right to own your machine. This is the kind of garbage they force gamers to install on their machines:

https://www.theregister.com/2016/09/23/capcom_street_fighter...

https://mobile.twitter.com/TheWack0lian/status/7793978407622...

Their software also takes screen shots, walks the file system, scans people's processes... Any similarities to malware may or may not be mere coincidences. They're also known for false positives: banning people for receiving special strings via text message, unknowingly installing mods with hacks bundled in or due to the presence of development tools such as debuggers or even virtual machines. Good luck trying to reverse such a ban, the entire gaming community has already been conditioned to accept any decision as final and to even defend this practice. When coupled with DRM, this essentially means your license to play the game has been revoked with no refunds.

[sseneca]

> Some game companies (riot games) even install their anti-cheat software so that is loads in the ring 0 space.

Why are separate machines required, rather than dual-booting? (i.e. Windows for games, Linux for everything else)

[zionic]

Because Linux and windows bootloaders routinely screw with each other. I am NEVER losing another weekend to that crap again. Dedicated windows gaming PC is the correct way to deal with this.

[0xbkt]

With a UEFI-GPT setup two ESPs (one for each OS) and you're good. Now that I have no software bootloaders, which need to know about multiple OSs, I only need to use BIOS' own boot device selector on startup.

[andoriyu]

That's not the case for a long time. I have rEFInd that started life in windows 7 esp with freebsd dual booting, now the same hard-drive booting windows 10 (upgraded from 7, not fresh installation) and nixos, all with the same rEFInd from the same.

The correct way to do so, is to have separate hard-drives for different OS. Then there is zero chance of them stepping on each other.

[flowless]

You can also run virtual machine with real card attached to it via VFIO if your host has IOMMU support. Guess what this means for anti-cheat.

[sseneca]

As the other user said, BattleEye now bans for this. I used a VFIO set up for a number of years but had to switch because of it.

[120391583]

Some anti-cheats like BattlEye try to detect if they're running in a VM.

[pstrateman]

Your computer is really a bunch of computers pretending to be a single computer.

Most of the components have firmware that can itself be loaded with malware.

[sseneca]

Ah. So, if a Windows application runs in ring 0, it can put malware in a place such that it can then interact with the Linux install?

Is there _any_ way to bypass this, apart from separate machines? I didn't know this was possible.

[120391583]

It's a very real and terrifying threat. A standard PC has numerous components with their own firmware that can potentially be flashed. Some of those components may have integrity checking schemes that are supposed to ensure only vendor-signed code can be flashed or executed, but don't rely on those measures actually working as intended (and not being exploitable themselves). Hardware vendors are notoriously bad at this.

This is one of the reasons I'm so enthusiastic about the T2 and M1: a hardware root of trust designed by a competent vendor. (Yes, there is a flaw in the T2, but it requires physical access to exploit.) In my opinion, those are the only trustworthy desktops or laptops on the market right now. You'll notice AWS (Nitro) and Google (Titan) also have their own proprietary hardware security chips for the same reason.

[rincebrain]

Theoretically - and vice-versa.

Depends on what the avenue of exploit you're worried about is. You can disable BIOS flashing from the OS in the BIOS, but that might still be theoretically vulnerable to, say, compromising the Intel ME environment and flashing from there; a rootkit loaded in SMM could hang around until the machine is cold power cycled (and theoretically compromise the bootloader(s) to load itself and then chainload the "real" bootloader every boot); if you want to get really invasive, you could theoretically start flashing various microcontrollers attached to the system (say, a USB flash drive, or your HDD/SSD controller) to do malicious things.

These get increasingly unlikely (and unreliable, without knowing and targeting the specific hardware you're using) as your attacker model includes less resources, but not impossible. Intel ME code execution, BIOS and SMM rootkits, malicious USB flash drive firmware and HDD firmware have all been demonstrated (I haven't seen malicious SSD firmware, but there's nothing theoretically stopping it other than the controller doing a lot more on them), and a couple have even been found in the wild.

[JUNGLEISMASSIVE]

I hope those separate machines are also on separate network segments without a route in between.