Uh, isn’t the IDT one of these things that PatchGuard explicitly checks? Mind you, anticheats keep PatchGuard corralled these days because they want their own KiPageFault hooks assuming HVCI is not in place.
The article doesn’t go too in depth on the actually interesting things modern anticheats do.
In addition:
- you can’t really expect .text section of game/any modules except maybe your own to be 100% matching one on disk, because overlays will hook stuff like render crap (fun fact for you: Steam will also aggressively hook various WinAPI stuff presumably for VAC, at least on CS2)
Valve has some AI detection stuff for CS2, but it’s remarkably ineffective. VAC itself delivers small DLLs that get manual mapped by Steam service, do some analysis and send that to Valve (at least to the best of my knowledge, there may be more logic implemented in Valve’s games or in Steam/Steam service).
> Writing drivers or poking around in kernel code was so far beyond the scope of capabilities at that point that you would’ve had better luck teaching your dog how to knit.
I get the feeling a whole bunch of teenagers have written drivers to cheat in Fortnite/whatever other game - with that being said, probably not at 9 years old.
From what someone told me rev/crypto/misc are the most broken, with pwn/web being more iffy and depending on challenge specifics.
I can't speak on AI usage very clearly (fun fact: just putting the challenge into ChatGPT's web UI sometimes works!), but I think the most egregious is orchestration platforms for agents (with MCP/whatever else) to autonomously solve challenges.
> Importantly, this work also highlights the defensive implications of such techniques. While Secure Boot and firmware integrity mechanisms would prevent this attack chain when correctly enforced, the explicit requirement for users to disable Secure Boot demonstrates how social and usability tradeoffs continue to undermine otherwise effective platform defenses.
There are a number of Microsoft-signed drivers that have vulnerabilities in them that can be exploited allowing kernel-level access (memory read/write primitives, etc.) - they would load fine under Secure Boot - and, indeed, malware already has exploited this before.
This does make cheating harder, and does make it a cat-and-mouse game where signatures are revoked and they move on to a new driver, but the fact of the matter is - there are a ton of drivers out there and some of them will always be vulnerable in some way. To this end, I think focusing on client-side anti-cheat at all is a lost cause.
Valorant and Battlefield 6 does require secure boot and they do not sell their cheat for those games. Though there are still cheats available for those games, in particular using DMA hardware.
You connect the DMA PCIe card to a laptop/pc with USB, then it can read any memory on the game PC and display a radar on the laptop screen. They even sell mouse and hdmi/dp mergers, these allow the laptop to show an ESP overlay over your game and aimbotting by sending mouse inputs.
reply