Hacker News new | past | comments | ask | show | jobs | submit login

I mean, they're not rootkits. Rootkits are either to gain root access (thus the name) or to hide something from a user. Anticheats don't do either of these.

They expose a kernel API to allow games to verify the state of the system, and they're knowingly installed by the user.






> They expose a kernel API to allow games to verify the state of the system

And that API has root access... thus it's a rootkit.


The API doesn't provide root access, it's typically a simple "is this game running in a secure environment" read API.

I really hate "it's a rootkit!" posts like this because it diminishes the severity of actual rootkits.


Can you please clarify how an API which runs in the kernel does not have root access? Because I don't believe that's possible, but perhaps I'm wrong.

The API itself has root access, but does not give user space root access, is what I think the commenter is trying to say.

That's the promise of eBPF.

I'm already counting down the days for eBPF to blow up in our face. But admittedly, it's the cheapest way of gaining more capabilities and privileges than you need, thus it's here to stay.

How do you think it is able to tell if the game is "running in a secure environment" without having root access itself?

The thing is the Kernel does not have that API.

The real solution, and not the hack Riot uses, is for Kernel to provide an API for anticheats, like it does for everything useland.


That's not really possible as long as the kernel allows the loading of arbitrary user-provided modules. Because the cheater will certainly run the cheat that requires kernel mode. If it's run in kernel mode, the API call can be intercepted.

How does the anticheat then work? Corewars. It's a cat and mouse game between the cheat provider and the game developer.

One would need a secure base layer, where also the MS anti-cheat lives, and all drivers can only run in a layer between this base layer and userland. I think that's already done for most of the graphics stack.

On the other hand, I am not convinced I want a system where I cannot load arbitrary kernel mode code if I choose to do so.


> They expose a kernel API to allow games to verify the state of the system, and they're knowingly installed by the user.

Can you give examples of games where you do that?


Riot games use theirs (Vanguard) to improve detection of cheating software. basically the idea is by being on from the moment the computer is booted up it can validate the environment better.

Here's a recent blog post by riot detailing their recent deployment of the system for league of legends, the biggest online multiplayer game in the world

https://www.leagueoflegends.com/en-gb/news/dev/dev-vanguard-...

towards the end it talks about how and why it works




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: