That's not really possible as long as the kernel allows the loading of arbitrary user-provided modules. Because the cheater will certainly run the cheat that requires kernel mode. If it's run in kernel mode, the API call can be intercepted.
How does the anticheat then work? Corewars. It's a cat and mouse game between the cheat provider and the game developer.
One would need a secure base layer, where also the MS anti-cheat lives, and all drivers can only run in a layer between this base layer and userland. I think that's already done for most of the graphics stack.
On the other hand, I am not convinced I want a system where I cannot load arbitrary kernel mode code if I choose to do so.
How does the anticheat then work? Corewars. It's a cat and mouse game between the cheat provider and the game developer.
One would need a secure base layer, where also the MS anti-cheat lives, and all drivers can only run in a layer between this base layer and userland. I think that's already done for most of the graphics stack.
On the other hand, I am not convinced I want a system where I cannot load arbitrary kernel mode code if I choose to do so.