Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

AMD forgot to detour the VAC integrity checks too.


The real issue here is that it was a detectable optimization, Nvidia may play similar tricks except it’s not an issue if the code is embedded deeper into the hardware stack.

For example, Nvidia cards are great for cheaters because you can disable flashbangs and smoke grenades using the stock driver.

If we push it that way, any improvement of FPS due to hardware could even be considered unfair, and to ensure fairness, everybody could theoretically be limited to 30 FPS and xxHz refresh rates.


Reflex requires the game developers to use the Reflex interface via NVAPI, the AMD global anti lag feature was hijacking calls at runtime and modifying the memory of running processes.

I don’t know how this design passed basic red teaming during the design phase not to mention QA.


What actually happened is that the game code was modified in memory which VAC disallows because that's how many cheats are implemented. I'm not even sure what you're trying to say. Yes you can disable some effects in games through changing driver options and you can make your monitor render a red dot and add macros to your keyboard, those all are a distinct problem from the subject here.

A framerate limitation for "fairness" wouldn't make sense because you'd basically be arguing that it's unfair that someone saw one single extra frame that some player zipped across the screen and they were able to track them whereas they wouldn't without that extra frame.

But a game being networked naturally presents the same issue and it can't be solved (in an engine like source or unreal): player locations are sent to your client at a fixed sample rate. Whether you see a player zip across the screen will just be determined by a bunch of phases of cyclic phenomena: for instance your client renders every 33.33ms (for 30FPS) and the server says he's at position A, then the server says he's at position B which is in your view, but your game isn't rendering yet because it just finished rendering the previous frame. Then you get a packet saying he's at position C which is also off your screen and now finally the rendering happens, rendering another frame with the player off your screen. So you never saw him cross your screen. But another player sitting right behind you looking in the exact same direction will be on a different phase of his render loop: he may render right after receiving position B and so he will see the player zip across. This example ignores interpolation and stuff but it will still apply even then.


Most likely, they just forgot to wait for Valve to ship the update where they whitelist those specific modifications.


> Is there a whitelist of software that can be safely injected into CS:GO?

> No. Unfortunately, even benign applications are often a vector for cheats that hijack them in order to cheat in CS:GO. So in Trusted mode, all foreign software is blocked.

Source: https://help.steampowered.com/en/faqs/view/09A0-4879-4353-EF...


Almost 100% sure they keep a whitelist with all common GPU drivers.

Note that by definition GPU drivers _require_ the ability to inject DLLs into the process, read/write to the process memory, and even create new threads on it...

That's the reason Chrome and derivatives put GPU stuff on a separate process. But you try to do this type of sandboxing on a game and it will utterly destroy performance.


Can you provide some docs around it? It goes quite against everything public, when NV adds new features that are not part of D3D or other APIs they release binaries for developers to use to call NVAPI directly Ive never seen their driver injects anything into a running process.


D3D is not IPC. It is mostly implemented in the process' address space. When you call a D3D function you are not magically dumping all your primitives into the kernel-side driver (which would be slow), you are calling into nvd3dum.dll which _may_ eventually call into the kernel. All of this happens in the same process and therefore the GPU driver can do whatever the hell it wants to it.


Yes but this derouted the engine.dll (or equivalent) code in userspace (not sure if that's the right term here). I agree that they probably whitelist or even just don't check the graphics or rendering related functions, since tons of mods allow you to do that without any widespread ban wave. But when it's hooking to the core engine code, I think that's a different story. Correct me if I'm wrong though.


There is no way to make this distinction purely from userspace, you cannot "sandbox" a library you are loading into your process. Therefore they just keep a whitelist of graphic drivers that are allowed to load (and do whatever they want).

Anything else would just not work. You can't prevent the drivers from doing whatever they want or you would quickly hit a myriad crashes. You cannot rely on what the OS calls a "graphics driver" because then someone would implement their own drivers (wrapping NVs). Your only resort is to allow the well-known drivers and prevent everything else.

The same reasoning applies to all operating systems (e.g. OpenGL ICDs). It is not windows exclusive.

And btw, mods which change rendering related functions are some of the most classic cheating devices and therefore are of critical importance to block in the first place.


This wasn’t the driver doing what ever it wants up stream it was overriding the renderqueue and other functions within the executable at runtime.

As far as I know this is not standard behavior for GPU drivers at least I’ve never seen anything like that happening before.


I really doubt that; not because they haven't done that in the past, because they have; but because with the frequency of updates of game clients these days you really cannot get away with that as easily. On the other hand, hooking the lower-level Win32 functions is extremely common, I am yet to see a GPU driver that doesn't implement some level of idle/activity detection based on hooking the message loop, for example.

My bet is they have just decided to put whatever this new thing is in a separate module which they they forgot to send to Valve for whitelisting.


There's a world of difference between hooking a message loop and hooking a Win32 function:

You can hook a message loop using regular Win32 APIs, while hooking a Win32 API requires you to modify code in the process. Specifically you need to inject a trampoline function into the process memory and then overwrite the first two bytes of the Win32 function you'd like to hook with a jump instruction to your trampoline.

The former is a lot easier to allow while the latter is much more likely to open the flood gates for cheats.


Graphics drivers don't need to use code injection to load their DLLs. They're loaded by the process when it initializes the graphic context.


There is no practical difference. You can't really know if the graphics driver comes because it is "injected" by whatever or because the system loads it; from the point of view of the process it is exactly the same (code you didn't explicitly request magically appears on your address space). If you are already loaded by the process you can do _anything_ you want to it, including loading other modules.


You're glossing over distinctions that do matter when you're trying to detecting cheating. Yes, once a DLL is loaded into the process memory it can do anything it wants.

But when you're trying to detect cheats, how it was loaded and what it attempts to do in your address space is exactly what you're trying to detect.


They don't matter because

a) they're impractical or even impossible to detect: let me know how can you avoid code that is being executed in your address space from not doing anything that it wants to your address space. This is not a buffer overflow looking for a rop, this is code with x permission that is already being executed.

And b) they're irrelevant. Does it matter if your cheating code is loaded as part of the graphics driver? It is trivial to create one...


a) It is impractical, but necessary to ensure a fair game. It is just as impractical as a virus-scanner trying to protect the OS from novel malware that's being directly executed by the user at admin rights. Just because it's hard doesn't mean it can't/shouldn't be done. Also the anti-cheat doesn't need to prevent it, it just needs to detect and report it.

b) It seems you're trying to argue against anti-cheat as a whole? Yes, anti-cheat will always be defeated in the end. We've reached the point where cheaters are starting to use Direct Memory Access attacks, no way to detect that. But it's still necessary to make sure there's a high enough barrier that prevents the casual cheater from just downloading a cheat without the fear of getting banned.

However I do understand your aversion to it, these are techniques that are hostile to the user and attempts to wrest away control over what code the user is allowed to execute on their own hardware. The fact that the PC allows the user to execute any code they want is a precious right that's being chipped away at.


> It seems you're trying to argue against anti-cheat as a whole?

No at all. I'm arguing that they just have a whitelist of modules they can load, and prevent any unknown module from loading. Because that is the simplest AND only reasonable way to approach this, for the reasons I've exposed above.


But what you've listed above are a bunch of reasons why a whitelist isn't enough. Because you can whitelist modules, but without extra precautions you have no idea whether the module you've loaded has been compromised. And even if you check the code signature of the module you're loading, unless you have some way of detecting code injection the modules or the engine code can be compromised at any point during runtime.


Do valve whitelist those? I think the geforce changes operate by hooking into the actual rendering functions, not individual games —- or can they?


GPU vendors don't have to hook rendering functions since they're the ones providing the implementation of those rendering functions.

If Nvidia requires extra hooks into the game they usually ask the developer to call certain functions in NVAPI, which is their vendor-specific driver interface.


There must be some kind of whitelist system. Discord for example doesn't have many options to draw it's ingame overlay. They either create a topmost transparent window (does not work in exclusive fullscreen) or hook glEnd() of the targer or however it's called these days.


Counter-Strike allows detouring of system calls by code signed DLLs if it's not running in trusted mode.

Once it's running in trusted mode all hooking is blocked, so even the Discord overlay would not be allowed.

Source: https://help.steampowered.com/en/faqs/view/09A0-4879-4353-EF...


Do you happen to know how to detour Steam games on startup? Just launched executable (with detours) gets Steam to restart itself (so now without).


>Steam to restart itself (so now without).

With all due respect, I'm struggling to parse this part of your comment.

With that said, I'm pretty sure your target is calling this API method:

https://partner.steamgames.com/doc/api/steam_api#SteamAPI_Re...

If you don't care about being authenticated with a "legit" session for online play, just strip SteamStub and apply a Steam emu with the necessary config. Those will obviously not care about wherever they are being launched from. I recommend the CODEX one if your target is not too recent.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: