Security boffins Joel St. John and Nicolas Guigo have developed a rootkit-like gaming cheat system they say bests anti-cheating mechanisms.
The iSec Partners hackers say the anti-cheating platforms in use by the world's most popular games cannot stop cheating and actually increase the attack surface open to hackers.
In a presentation most recently given at BlackHat Asia last month the pair outlined "practical" attacks against external anti-cheat engines that could earn attackers big bucks.
" ... not only is the current state of anti-cheat software inadequate to fully stop cheaters, but it also adds significant attack surface to the software -- if a serious bug is found in this software, an attacker may be able to leverage it to get system-level access on clients or servers," the duo say in the paper Next Level Cheating and Leveling Up Mitigations (pdf).
"In the current model there is no way to fully stop cheaters and the research demonstrated here can be used to easily make any existing cheats undetectable by anti-cheat engines.
"Ultimately, there is a fundamental problem in the way the model works – clients require a significant amount of data, and while players control the hardware the game is played on, they control all of the data and can manipulate it at will."
They say the cheats directly impact the cash flow of gaming companies and professional gamers, making kernel-level hacking increasingly attractive until "fundamental advances" are made to defensive models.
The best game companies can hope for is obfuscation to make cheating harder in what amounts as a race to launch first.
They point out that anti-cheat systems generate and push signatures when cheats are identified, banning the players in question.
That process has "many parallels" with the malware arms race.
Cheating is generally covered by exploiting game bugs and glitches, in- or out-of-process, and network packet manipulation, the pair says.
Those out-of-process cheats rely on calls to ReadProcessMemory and WriteProcessMemory to access the game process address space in performance-heavy cheats that hackers consider the stealthiest in terms of avoiding anti-cheat software.
Gaming companies fight cheaters using signature and game-specific checks, hook detections, call stacks monitoring and various debug related detections, slinging system privileged process to detect out-of-process hacks.
But the pair reckon their rootkit-like platform could roasts most anti-cheat systems.
"It relies upon a kernel driver providing a rootkit-like functionality to hide activity of its user-mode process and provides a mapping API via device I/O controls allowing the game pages to be transparently double-mapped into the cheat process … the driver also aims at protecting the cheat binaries by installing itself on the file system stack to prevent anti-cheat access and analysis."
"iSEC believes this proof of concept will take the arm race into kernel mode which – as the virus-antivirus arms race demonstrated comes down to a 'who loads first' race, the notable difference being that the user is on the cheat’s side leaving little chance for the anti-cheats to come out on top."
The pair popped the popular BattlEye anti-cheat mechanism used in the Arma II and Day Z games including timing and sign extension attacks that can grant game server remote code execution. BattlEye patched against the hacks.
They say games may need to be "fully streamed" in the vein of Microsoft's concept to duck cheats. ®