this is a common misconception, just because you're in kernel-mode doesn't mean you are immediately undetected and things are not as easy people initinally think.
First, point of ingress: registry, file caches, dns, vulnerable driver logs.
Memory probe detection: workingsets, page guards, non trivial obfuscation, atoms, fibers.
Detection: usermode exposes a lot of kernel internals: raw access to window and process handles, 'undocumented' syscalls, win32, user32, kiucd, apcs.
Loss of functionality: no hooks, limited point of ingress, hardened obfuscation, encrypted pages, tamper protection.
I could go on, but generally "lol go kernelmode" is sometimes way more difficult than just hiding yourself among the legitimate functionality of 3rd party applications.
This is everything used by anticheats today, from usermode. The kernel module is more often than not used for integrity checks, vm detection and walking physical memory.
It's too bad we have to play this semantics game of "most vs all" every. Single. Time. On. This Damn Site.
So let me summarize the above thread:
Yes, there will always be workarounds for ANY level of anti-cheat. Yes, kernel-mode anti-cheat detects a higher number of cheats in practice, and that superiority seems durable going forward.
There, I think we can all agree on those. No need to reiterate what has already been posted.
I think it misses the fact that kernel anticheats generally do not reduce overall cheating compared to a good user-mode anticheat + good obfuscation and binary protection + strong report system and behavior analysis. If you add a kernel-mode anticheat to that I'd estimate that it helps only around 5% more while being way more invasive and causing widespread issues (as the original blog describes).
source: observation of games implying stronger anti-cheat measures over time and customer count staying exactly the same or growing. league of legends is a prime example, although it did create a crater for awhile. this all comes from people who actively sell cheats.
I’m sorry but what’s your source for this? This is a fairly wild claim.
huh, couldn't reply for awhile.
anyway: I already edited with the source.
Sorry, what's wild about it? It's a pretty standard observation that defense in depth beats "here's a silver bullet to solve X". Is there something about gaming (or preventing cheating in gaming) that makes that not true?