Watching the Watchers: Exploring and Testing Defenses of Anti-Cheat Systems
Black Hat USA 2025 · Day 1 · Briefings
Anti-cheat systems for modern first-person shooters like Valorant and Rainbow Six Siege have independently developed Windows kernel defenses — PatchGuard bypass, memory invisibility cloaks, rogue hardware detection, and runtime software diversification — that exceed what most enterprise EDR products implement. A six-month empirical study of the cheat marketplace shows these defenses measurably raise attacker costs by an order of magnitude and cut cheat uptime from near-100% to roughly 50%. The next battleground is the hypervisor layer. ---
AI review
Anti-cheat systems have quietly become the most advanced kernel-defense research lab in the industry, and Sam and Tom have the empirical data to prove it. Vanguard's PatchGuard bypass, page-table cloaking, and DMA device behavioral probing are all more sophisticated than what most enterprise EDR ships — and the cheat marketplace pricing data is the cleanest attacker-cost measurement I've seen at any conference.