For quite a long time now operating systems have had what’s called memory protection. This prevents one program from accessing the memory used by another program. This has 2 major benefits, one is that if a program goes wrong and starts trying to write to the wrong place in memory it won’t crash the entire computer (this was very common in Windows 3.11 and below / MacOS 9 and below), and also makes it more difficult for viruses as they need to get past this protection.
Cheats also need to get past this protection to be able to modify the game while it’s running to be able to insert cheats. And to detect this anti-cheat also needs to get past tried protection to be able to look for programs that are modifying the game.
The kernel is able to give programs permission to read and write the memory of other programs, so both cheats and anti-cheats go to the kernel for this permission.
Video game cheats aren’t written at the kernel level. Anti cheat software is now being written at the kernel level because that gives them the most control over other running programs on the system and more information about your computer than it would normally have access to.
For example, Vanguard uses it’s Kernel level access to try banning people’s computer hardware itself, not just your account.
In computers you have user space and kernel space.
Some programs need special privileges and need to run in kernel space. I don’t have any experience with anti cheat software but I can think of two blindingly obvious reasons why you would want to run an anti-cheat program in kernel space.
First is that it will give you sufficient privilege to observe and detect an executing process from a known cheat program. Applications in user space have limited ability to observe other running processes.
Second is that only in kernel space do you have sufficient privilege to fully observe input devices. If you can check the game’s input signals against the what the mouse hardware is actually doing you can identify if an aim bot style tool is being used.
There are likely several more reasons that anti cheat software needs to run in kernel mode but these two are blindingly obvious from my perspective as someone who doesn’t have any experience in anti cheat.
Latest Answers