[NtGuy25]

It's not. Binary protection is easy and you won't be able to stop high level attackers. It's similar to the EDR field where it's monitoring heuristics and trying to correlate those to attacks. And it's also similar in that normally it functions off of a whitelist, but they get a bit more coverage since they only care about a singular program which they control.

Companies get most of it from either filter drivers or ETW. Which effectively give a callback and notification for every handle or handle operation (So Networking, File, Registry, InterProcess, etc...). The good way to do this is ETW which gives you events and doesn't allow changing of these events, unlike a filter driver that can modify these requests. And this stops 99 % of people. ETW even runs in usermode as opposed to a driver.

They also do malware techniques such as loading shellcode over the wire so it's difficult to audit the actual malicious stuff they're doing.

There's zero reason for them to need anything like what Riot does with Vanguard and it's a joke that consumers allow this. It's them trying to jump to the top of the stack and abuse Kernel. But they're engineers are to stupid to realize this opens up complexity in the architecture and makes it easier to break and bypass.