[rstat1]

In my mind there's a huge difference between the 2. The sony rootkit was installed in secret, full of security holes, hard to remove, and made by a vendor that appeared to give 0 shits about said security holes.

All of the anti-cheat solutions I've seen that run in kernel mode are none of those things. They make it well known that they're installing, are made by vendors that actively care about the security of their products, and are trivially easy to remove once they're no longer needed.

[fuyu]

Genshin Impact is a recent game that has included a kernel mode anti-cheat. I would be very surprised if the majority of players know that it exists, or understand what it means to have it run in kernel mode.

The Genshin website previously allowed anyone to view the phone number you have linked to your account via the password reset mechanism. Due to common reports of accounts getting stolen (and unable to be recovered), two factor auth has been highly requested, but doesn't seem to be a priority. I'm skeptical that they strongly care about the security of their users.

Even if Genshins anti-cheat is completely secure, as kernel anti-cheat becomes more common it's inevitable that we will get an instance that is full of security holes. Unfortunately as long as the user can't play their favorite game without it, they will happily install it.

[charcircuit]

Even if the security is bad does it even matter? User mode is enough for malware. "Sure an attacker could mine crypto, DoS people, use me as a proxy, keylog me, use my webcam, steal my saved usernames and passwords, but at least they can't upgrade my graphics drivers", said no one ever.

[oxylibrium]

Oh, there's a lot more "fun" stuff you can do in kernel mode. One comedic example is setting the CPU Vcore offset to +2.2V for fun/revenge. I don't know if it will destroy CPUs permanently, but it would be an interesting experiment.

More importantly though, once you're in the kernel, its much easier to hide your presence to all manner of Windows sysadmin tools.

[oxylibrium]

Genshin Impact's anti-cheat is not completely secure: you can use it to read/write umode memory / read kmode memory with kernel privileges: https://github.com/ScHaTTeNLiLiE/libmhyprot

Mirror repo after the original author took the repo down, but still exploitable AFAIK.

[matheusmoreira]

Explanation of the exploit here:

https://github.com/Luohuayu/evil-mhyprot-cli

Not as bad as capcom.sys:

https://mobile.twitter.com/TheWack0lian/status/7793978407622...

The effect is the same though: ring 0 code execution.

[invokestatic]

I’m an anti cheat dev and I think client-side anti cheats make no sense on a typical MMO. Pretty much all cheats for those types of games can be detected server-side. RuneScape is a great example of this.

[philistine]

Hopefully, Microsoft is going to follow in Apple's footsteps and close the access to the kernel for any and all programs. Yes, we will lose a lot, since Apple right now cannot cover all use cases of kernel access through new APIs, but we will gain so much in security and reliability.

I'm of the opinion that easy kernel access for all apps and games is ultimately not putting me in control of my computer.

[rstat1]

Access to kernel mode on Windows is already pretty restricted as it is. As far as I understand, you either have to run your whole machine in a special "Test Mode" or have a specific kind of (expensive) code signing certificate.

But beyond that, I don't see how "more restriction" == "more control for the user"

[ladyanita22]

Are you talking about driver signing?

[pjmlp]

They already kind of did, I only install PC games via the Windows store.

[oxylibrium]

> ...make it well known that they're installing...

Many vendors originally hid the fact until they started receiving community backlash about it. For example, Riot with Vanguard originally hid*[0] that it was running 24/7, and also hid the fact that it blocked drivers, until people noticed and complained about it. Many games, PUBG Lite and Genshin Impact in recent memory, also do not reveal this to the user.

[0]: https://gameriv.com/vanguard-adds-a-system-tray-icon-to-give... *: I'm aware there was a blog post about it, but blog post about it != clear, upfront warning on install about behavior

> ...made by vendors that actively care about the security of their products...

Here's some fun, all involving anti-cheats:

- Using xhunter1.sys (XIGNCODE3) for an LPE: https://x86.re/blog/xigncode3-xhunter1.sys-lpe/ (still used in some MMOs!)

- Using capcom.sys (rootkit shipped with Street Fighter V) to write a rootkit: https://www.fuzzysecurity.com/tutorials/28.html

- Using mhyprot2.sys (from Genshin Impact) to read/write umode memory / read kmode memory with kernel privileges: https://github.com/ScHaTTeNLiLiE/libmhyprot (still exploitable, AFAIK!)

- Using BEDaisy.sys (BattlEye - shipped in Rainbow Six: Siege, Fortnite, etc) for handle elevation: https://back.engineering/21/08/2020/

In addition, you still need to trust the vendor (duh!). Some of them are essentially RATs, like BattlEye - it loads shellcode from the server that runs in BEService as NT/SYSTEM, and they can target code pushes by IP/ingame ID/etc. Reverse engineering the anti-cheat itself is not enough to trust it; it can change its behavior as it sees fit. They can even choose to specifically target you and steal your files, and there's a very high chance you'll never find out about it.

> ...and are trivially easy to remove once they're no longer needed.

Depends on how you define "trivially easy" - for eg. with Riot Vanguard, it installs/uninstalls separately from Valorant so you need to remember that separately. Some other ones, like xhunter*.sys install silently and aren't easy to uninstall at all unless you go delete files in System32. Others like EasyAntiCheat/BattlEye (last I used it, been years since I've touched them) need special uninstaller .exes that are included with the game, but are not registered with Windows or don't run automatically when uninstalling the game.

[linkfee]

disgusting company, disgusting policies. But awesome research! ~nerrix