Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save stdNullPtr/2998eacb71ae925515360410af6f0a32 to your computer and use it in GitHub Desktop.
Save stdNullPtr/2998eacb71ae925515360410af6f0a32 to your computer and use it in GitHub Desktop.

TL;DR

When Riot Games introduces the Vanguard anti-cheat to League of Legends, you should STOP playing and you must NOT install the anti-cheat when you get the pop-up. Vanguard is a kernel-level anticheat and these anticheats operate at a privilege level HIGHER THAN YOUR OWN. The anti-cheat can do things that even YOU can't do, without asking or letting you know. It's like Riot installing a camera in every room of your house and getting a copy of every key inside.

Here are just a few examples of what they can do:

Who am I?

Just a random player with a cheat developer past, that likes to reverse-engineer malware occasionally.

Why did I decide to write this lengthy boring post?

Anticheats are getting more and more intrusive, it's getting out of hand and people should have a better understanding of how intrusive and dangerous kernel mode software, in general, can be. It's driving me crazy how game developers get away with this.

Goal

I want to convince you NOT to voluntarily install kernel-level software of any kind (anti-tamper, or whatever they try to push to you), shooting yourself in both feet.

Audience

All you ordinary gamers. This articles explains in simple terms the issue at hand.

Some Clarifications

  • "Lower" and "higher" access levels: consider lower -> closer to hardware, meaning MORE privileged (may be counter-intuitive to some)
  • Any software that runs in the kernel namespace is referred to as a "driver".

The Problem

Only after diving into the world of reverse engineering and cheat development was I able to understand how incredibly intrusive anti-cheats can be. I get it, we all do, cheating is bad, ruins legit players' experience, and so on - but that's not the point here. The point is - that cheating is inevitable, so why force your player base to install a rootkit into their PCs?

The only difference Vanguard will bring is that the cheating players will just have to spend a bit more money for the premium kernel-mode cheats since a user-mode anti-cheat can hardly deal with a kernel-mode one. Valorant has Vanguard, so what? It still has cheaters and the premium cheat developers are not even charging that much. Speaking of "premium cheats", all this introduces a whole new problem, more usage of kernel cheats, which means just like with Vanguard - the user will voluntarily infect their PC with yet another kernel-level software to mine some crypto and share their bank account with their favorite cheat developer <3.

Why don't game devs implement better detection methods server-side while keeping the user-mode piece of the anti-cheat? Because it's cheaper to deploy a rootkit to everyone's PC! You can detect and log "unrealistic" behavior without installing a rootkit into your players' PCs. We're not just talking about another piece of software, this is the core of your computer's operating system.

What is the kernel (in simple terms)?

In a computer, the kernel is the core software of the operating system. It handles all the fundamental operations, like managing memory, processing tasks, and communicating between your hardware (like your keyboard, mouse, and monitor) and software (like your games and applications).

The kernel operates at the DEEPEST level of your system and has complete control over anything happening in your computer. It decides which programs get resources, serves as a bridge between software and hardware using drivers, and controls essential security measures.

There exists a concept of "Ring protection levels". Their purpose is to define an access level hierarchy in your system. Your everyday apps and games run at Ring3 (least privileged, safest for your system). Can you guess who wants to be in Ring0? That's right - viruses, rootkits, spyware. Everything that can compromise your system and privacy, casually running kernel-level software that YOU DON'T NEED exposes you and your system to risks that we cover below.

After these few sentences you might say "Wow the kernel sounds important and complex!", well IT IS, THAT'S WHY YOU DON'T LET RANDOM SOFTWARE IN THERE.

Consider this:

When you are having guests over at home, do you hand over a key to your house to each one of them when they first come? NO??? Why not? They won't have to ring the doorbell next time, think of the insane convenience that this brings. What? They can come at any point, even when you are not there? Naaaaah come on why would they do that, they even promised not to! Wait what? You don't want to give them keys? Well too bad since it was not a question or a request, prepare to be evicted.

That's you, inviting Vanguard over, FOREVER... well technically until you uninstall it but with such privileged software a complete OS purge is recommended alongside all your drives.

The risks of kernel-level access

Repeat after me, again, kernel-level software operates with the highest level of privilege on your computer - it can do things that even you CAN'T DO!

So far we only covered how incredibly privileged this software is on your machine, but let's talk about what CAN happen.

  • Security Vulnerabilities: The most concerning risk is related to security. When a program operates at the kernel level, ANY vulnerability in that program can potentially open the door to the entire system. If exploited, such vulnerabilities can lead to serious security breaches. In the case of Vanguard, any flaw in its design could be exploited by malicious entities to gain deep access to your system. Remember earlier about the keys? if someone untrustworthy gets a hold of them, they have access to everything inside. Kernel drivers are the keys to the kingdom. Have you ever wondered how viruses "nest" themselves into a system? By exploiting a driver developer's mistakes, malware can leverage the vulnerable driver to load itself into the kernel namespace and bring chaos. You are essentially voluntarily nesting kernel software into the kernel namespace :). One might say that some god-level developers at Riot cannot produce a vulnerable driver, but know this - bugs are a fact of life - the more complex your driver is, the higher the chance of the developer making a mistake. That chance is never zero, not even close.

  • System Stability: Kernel-level software has the power to make changes that can affect the entire system's stability. Ever wondered why you get "bluescreen"? Well, there you go! When an issue occurs inside kernel-level software, it doesn't just crash - it takes the whole system with it, potentially corrupting it before the next boot. This can be caused by a simple mistake by the developer of the driver, which inherently means that introducing unneeded kernel software into your system can increase the chance of instability. In contrast, when a user-level application crashes, you just restart it without threatening your whole system's stability.

  • Privacy Concerns: Privacy is another area of concern. Kernel-level access means the software can monitor all activities on the computer at all times, with full permissions and privileges, without asking any questions or even informing you in any way :). I am sure that Vanguard will only "enable itself" while you are playing league, but that's just a "promise". You can't rely on such "promises" when your privacy is at stake. You are giving it your house keys and pretending it didn't happen.

  • The Contrast with User-Level Software: Normally, your everyday software like games, discord, or whatever, operates at a much higher, more restricted level - we can call this user mode, userland, or user level. Userland software runs with virtual memory and has to ASK before doing ANYTHING. Whenever there is a malfunction, it is limited to that specific program, unlike kernel mode software, where the entire system collapses. There is absolutely no reason for a normal user to expose themselves to this just to play a game.

The intrusiveness

Now that we have a clearer understanding of the risks involved in purposely allowing a piece of software access to the kernel, we can say a few things about the intrusive aspect of it all.

  • Deep System Access and Privacy: Kernel-level anti-cheats have an unparalleled depth of access to your system. The traditional anti-cheat "most of the time" operates only on the game files and starts up with the game ONLY. With Vanguard and other kernel-level anti-cheats, your whole system is being observed and monitored, including non-gaming related activities, even when you are NOT PLAYING :) It's like having a security camera that's meant to monitor your front door but ends up recording every corner of your house???

  • Continuous Operation: Another aspect of intrusiveness is the continuous operation of such software. With Vanguard and other kernel-level anti-cheats, your system is being monitored completely, from boot to shutdown, since the software boots up with your PC, and DOESN'T JUST RUN WHEN LEAGUE OF LEGENDS IS ACTIVE, it runs ALL THE TIME :) This constant surveillance raises concerns, not just about privacy, but also about the impact on system resources and performance.

  • Potential for Data Collection: And of course, we must mention the "anonymous" data constantly being collected by the anticheat. With kernel-level anti-cheats being so intrusive, do you really trust them with the data they collect? There is absolutely no control over what the software can monitor, we are working on promises here...

Any proof?

Don't believe me how dangerous this is?

And MANY MORE that did not get caught, as it's extremely hard to get caught with this :)

Conclusion

So, there we have it, we managed to barely scrape the surface on the topic... overall, it's your job to protect your privacy, since apparently the incredibly intrusive kernel anti-cheats are somehow still legal.

If you choose to install Vanguard and keep playing League, just remember that someone has unrestricted access to your PC the entire time it is being turned on (in the case of Vanguard at least) and that someone doesn't need your permission when he wants to do something :)

Is it worth sacrificing a piece of your digital freedom and security to continue playing League of Legends?

Stay safe, stay informed:

Update 1: Added TL;DR

Update 2: Added ring protection levels

@youcefs21
Copy link

https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat

Quote from the article:

"Anti-cheat is such a cursed field to work in," Chamberlain says. "Developers have no incentive to steal your data or hurt your computer, and if an evil developer did want to harm their players then they don't need anti-cheat software to do it. Installing their game would be enough."

This caught my attention. Chamberlain isn't saying that players should worry less—he's saying players are worried about the wrong thing.

"Stealing your nudes, getting your passwords, stealing your bank info... none of these things require a kernel-level driver," Chamberlain says. "All of that is possible with a regular application that you install on your computer. I don't need a kernel driver to stealthily record your webcam. I don't need a kernel driver to get your credit card info."

@EnforcerRyan
Copy link

https://www.pushtotalk.gg/p/the-gamers-do-not-understand-anti-cheat

Quote from the article:

"Anti-cheat is such a cursed field to work in," Chamberlain says. "Developers have no incentive to steal your data or hurt your computer, and if an evil developer did want to harm their players then they don't need anti-cheat software to do it. Installing their game would be enough."
This caught my attention. Chamberlain isn't saying that players should worry less—he's saying players are worried about the wrong thing.
"Stealing your nudes, getting your passwords, stealing your bank info... none of these things require a kernel-level driver," Chamberlain says. "All of that is possible with a regular application that you install on your computer. I don't need a kernel driver to stealthily record your webcam. I don't need a kernel driver to get your credit card info."

The issue isn't what it can do, it's that it can do it without you knowing or needing your permission, they don't need to tell you or inform you they installed a Crypto Miner as some of the links pointed to other companies doing, it's not the what or why it's the how, and the how is, without your consent or knowledge. The issue isn't just the developers either, it's the possibility of a weakness or backdoor being left in and being exploited, I doubt Riot would, but having the kernel level access there means it's a possible point of entry for bad actors, we saw what happened with Apex, now what if someone had more power than that and you were unaware. The has or will it happen is moot point, the point is it's possible because of the kernel level access, and it's completely unavoidable..

@nesticle8bit
Copy link

Thanks a lot for this information!, its a shame that Riot is doing this shit

@GMHadou
Copy link

GMHadou commented May 13, 2024

Very interesting and informative,thanks for the info!

@amcypher
Copy link

amcypher commented May 16, 2024

Let's put it this way, something spooked the r3pubs and d3ms enough that they crossed the line to talk and come together on legislature forcing the sale of that unsaid social site, the one with the weird name. The big t3nc3nt has it claws in everything; simply this software gives, easily gives a brazen, adversarial nation access to your device. What's the motive? To be numba 1.

@dretax
Copy link

dretax commented May 28, 2024

@stdNullPtr Guidedhacking collegue, although I do not support riot running a driver 24/7 mandatory on their machine, running stuff elevated on your machine could also be just as dangerous and have controls over. You are running many device drivers in the background based on the "promise" you have mentioned, without actually knowing what they do. Blue screens exists to prevent harm to your computer most of the time, and kernel devs utilize static and dynamic tools to ensure that the driver falls away from It.

Anyone with actual experience with proper white and black kernel development will understand why there is a need to get a kernel AC. Obviously there is a line towards anything. I'd like to say BattlEye does a pretty good job at that.

@stdNullPtr
Copy link
Author

stdNullPtr commented May 28, 2024

@stdNullPtr Guidedhacking collegue, although I do not support riot running a driver 24/7 mandatory on their machine, running stuff elevated on your machine could also be just as dangerous and have controls over. You are running many device drivers in the background based on the "promise" you have mentioned, without actually knowing what they do. Blue screens exists to prevent harm to your computer most of the time, and kernel devs utilize static and dynamic tools to ensure that the driver falls away from It.

Anyone with actual experience with proper white and black kernel development will understand why there is a need to get a kernel AC. Obviously there is a line towards anything. I'd like to say BattlEye does a pretty good job at that.

@dretax Of course they run in the background, the point here is that they are mostly not that complex, eliminating attack surface, with exceptions of course. Usually, the drivers intend to provide communication between hardware and software, they shouldn't do a million things.

The sole purpose and focus of this gist is to allow in the kernel space only what you need, and you most certainly don't need a full-system, kernel-level scanner, running 24/7 opening security holes.

Yes, defending from kernel is more powerful, sometimes necessary to catch some kernel cheating mechanisms, and we mostly lived with that over the years. But we are talking here about a very specific case, the case in the title.

PS: Not trying to come off as rude :) I agree with you partially

@dretax
Copy link

dretax commented May 28, 2024

@stdNullPtr I'd feel in your writing you focus on things / included things that do not really matter. What matters is a cheating prevention software running 24/7 on your machine.
An anti-virus does similar, sometimes even more hacky things, if you have ever reversed one, and users tend to take that for granted as well. The only way to trust such software is to actually get into It and see what they do under the hood. While it's true that minimizing complexity can help reduce potential attack surfaces, it's overly simplistic to suggest that drivers should be small implementations solely for this reason, or that they eliminating attack surfaces because of this. It's the design that makes the difference, in major cases, the rest follows.

Anyway, what I'm trying to get to in this case is that there are numerous other drivers out there that have caused security risks to users machine, a software will always prone to be potentional attack vector, even if properly designed.
Regardless, my experience tells that there is a fine line for everything, Riot is passing that, and I'd say EAC / BE does a good job at what they do, but only against people who aren't willing to put in the proper work.
Whenever I see a shitpost / writeup on whatever AC, I see people failing to get into these details, on what is a "fine line" and what's the complex reason of the overall topic. Maybe essentially I'll do one for GH.

@kurtbahartr
Copy link

kurtbahartr commented Jul 4, 2024

I'm glad you managed to compose something I tried to explain to my brother for over a month and I could find this Gist after some little deep research. However, I'm sorry to inform you that a League addict like him will disregard every single bit of it and still install that piece of rootkit just so he can play more games with his friends as if there's no better option. I'm planning to back up my data remotely over SSH the very next time he plays League (which I assume is just a few hours later since the time I'm composing this comment), prepare a Windows PE USB to zap everything on my SSD and then restore the updated factory image (which is the disk clone from the moment I received my laptop from its latest warranty service even before I booted into it myself) using Clonezilla.

And even then, my brother will still install League the very next time he takes my laptop and leave me with no option but to perform the very same thing over and over again.

@schklom
Copy link

schklom commented Jul 4, 2024

@kurtbahartr you could setup a second partition, install windows there, install League there, and tell him to select that second partition to play. Encrypt your main partition with Bitlocker or Veracrypt, and you both are good to go.

@kurtbahartr
Copy link

@schklom I don't think Bitlocker is going to work that well considering it leverages from TPM hardware instead of a password set by the administrator, which the other partition theoretically could also bypass since the hardware is the same on both systems. I'll give Veracrypt a try though, I've been thinking about trying it out for years. Thanks for the suggestion!

@Gruekan
Copy link

Gruekan commented Aug 13, 2024

@stdNullPtr nice post.
Maybe you could add the CrowdStrike Incident to your post because it is recent, popular and shows how a bug in kernel mode software can even kill your pc.
Just been away for some time and saw League now requires Vanguard. The only reason I never played Valorant... Well that means no League for me.

Companies must stop developing software for kernel mode that by no means belong there!

@kotlinsyntax
Copy link

@stdNullPtr nice post. Maybe you could add the CrowdStrike Incident to your post because it is recent, popular and shows how a bug in kernel mode software can even kill your pc. Just been away for some time and saw League now requires Vanguard. The only reason I never played Valorant... Well that means no League for me.

Companies must stop developing software for kernel mode that by no means belong there!

the crowdstrike incident isnt really a great source to add to this, that was from a company not testing their code, atleast most major game companies will atleast test, its a pretty basic thing to do

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment