Understanding How Anti-Cheat Software Works

To begin our exploration, we first need to understand how anti-cheat software works. In general, anti-cheat software is developed for two main purposes: to prevent cheating within a game and to detect those who do.

We can categorize how this software operates into two main methods: server-side and client-side^[1].

Server-side anti-cheat software typically monitors and analyzes the data a player sends to the game server. This data can include how the player is playing, what commands they are sending, and how quickly they react. Its goal is to detect discrepancies between normal gameplay behavior and potential cheat usage.

Client-side anti-cheat, on the other hand, runs on the player’s own computer and can have complete access to their machine. It attempts to detect cheat programs running on the computer and can use various techniques to block or report them. Furthermore, this software often operates at the kernel level with full privileges and access. In other words, it has total control over the player’s computer.

Both types of anti-cheat have their advantages and disadvantages. Server-side anti-cheats are generally more reliable because they run on the server and are less susceptible to manipulation on the player’s end. Client-side anti-cheats, however, can provide more comprehensive control over the player’s computer, which can lead to privacy violations or security concerns—a topic we will discuss frequently in this article.

Initially, anti-cheat software operated at the Ring 3 level. As you may know, Ring 3 is also known as User Mode. (If you’re not familiar with this concept, I recommend doing a quick search.)

In User Mode, privileges are very limited. It’s an environment where you don’t have full privileges over the operating system and are highly restricted. Because they couldn’t directly access hardware or memory from this level, anti-cheat programs needed to have the necessary permissions before performing any scans. Moreover, in this mode, anti-cheat software ran in isolation from other applications, meaning it couldn’t interfere with or modify data belonging to another program^[2].

However, cheaters, knowing that anti-cheat software was running at Ring 3, developed more sophisticated methods. Their tactic was to run their cheats not at Ring 3, but in the Ring 0 space—that is, in Kernel Mode. This gave their cheats far greater privileges and made them significantly harder to detect. Unlike the restricted User Mode, Ring 0 (Kernel Mode) allows any instruction to be executed, any memory address to be read, and most importantly, direct communication with hardware. Cheaters even advanced to the point where they could hook the system calls used by Ring 3 anti-cheat software to intercept its data^[2].

Game companies had to respond to this tactic, so they moved their anti-cheat software from the restricted User Mode to the kernel level, into Ring 0. Software running in Ring 0 can scan the system just as before, but it does so directly from the kernel level, with complete and elevated privileges. This has its advantages, but also a significant disadvantage that we will discuss at length. The advantage of running anti-cheat in Ring 0 is its ability to easily detect even the most elusive cheats, keeping the game more secure. The disadvantage, however, is the privacy problem.

Consider this: if this software can scan and read everything with high privileges to protect you from cheaters, it theoretically means it can also access everything on your computer. This software operates at the kernel level. This means it can read and access everything happening on your computer in real-time, with the highest privileges.

This brings me to a question for you: You don’t want to put up with cheaters in the games you play, and you want measures taken against them. But in exchange for that, would you be willing to risk your privacy?

Potential Dangers posed by Anti-Cheat Software

There have been incidents in the past years that violated the privacy principles of anti-cheat software. A good example was in 2013, when a developer from ESEA used the kernel level of the operating system to mine bitcoins secretly and on a large scale from players’ computers. The developer obtained about $4,000 from mining software that he planted on the GPUs of 14,000 players^[3] and after this incident was revealed, ESEA was fined $1,000,000 by the US Regulators. After these incidents, ESEA publicly apologized and ESEA distributed the mining money to players through prize pots and donated $7,427.10 to the American Cancer Society^[3].

However, they can cause problems for some Operating systems. If you are a gamer, you may have encountered this situation. Since Anti-Cheat software works as a kernel driver, a small error in the code in the driver can cause Blue Screen of Death (BSOD) like crashes. Take a look at this image for example:

In this case, as soon as the user turns on the computer, the blue error screen appears with the SYSTEM THREAD EXCEPTION NOT HANDLED error code I mentioned above. vgk.sys is a driver file for Vanguard anti-cheat software from RIOT Games.

Here, the user states that as long as they play Counter Strike 2, they are blue screened with the same error code and are looking for a solution.

Spyware Allegations for Valorant

One of the biggest reasons for these claims for Valorant is that the Chinese company Tencent owns 100% of Riot Games, leading to these claims. Tencent invested 400 million for a 93 percent stake in Riot Games in February 2011, and on December 16, 2015, Tencent invested the remaining 7 percent at an unspecified price to acquire 100% ownership^[4].

Tencent is a company with close ties to the Chinese government, which wants to control all activities on the internet. This, coupled with the fact that Tencent owns 100% of RIOT Games and that Valorant’s anti-cheat software runs at the kernel level, has led to allegations that this software could be used by the Chinese government.

We can see the beginning of these discussions starting 3-4 years ago. For example, take a look at this thread I came across in the r/privacy subreddit:

OP asks whether Valorant’s anti-cheat software, Vanguard, could be dangerous. It also says that this software is constantly running in the background.

I decided to start by investigating the veracity of these claims and started with RIOT’s own article ‘What is Vanguard’. This part of the article caught my attention:

Frankly, I am not satisfied with these texts. Yes, the RIOT article clearly states that Vanguard is already running from bootup, but if you ask me, the explanation is insufficient.

Since this article was unsatisfactory to me, I went back to the reddit and started searching again. Then I came across a long explanation by u/RiotArkem under a post in the r/VALORANT subreddit about this problem:

This explanation was more revealing than the article I read on Vanguard. Let’s take a look.

He says that the vgk.sys driver does indeed run at computer startup, but he says that it doesn’t scan anything unless the game is running, it doesn’t communicate with servers and it runs using as few system resources as possible, and he says that this software can be uninstalled at any time.

He also talked about the security and privileges of this driver. In terms of security, he said that they had their security investigation team look into it, that the driver did as little as possible, and that they gave the driver minimal privileges.

Performing Analysis

Now, after the basics, we have figured out what we can do in a simple way and we can start the analysis slowly.

First of all, I wanted to start the analysis with wireshark. Let’s start by seeing where it connects when the RIOT Client application is launched:

As you can see, when the Client application is run, data is sent to many more places than you might think.

We can’t see the content of the data sent here because, as you can see in the video, the data is encrypted. So it will not be possible to trace this. So I decided to take a look at a few of the addresses of the individual links:

When I tried to trace where the data was sent, I couldn’t find anything, but The PC Security Channel’s analysis of the ‘Is Valorant Spyware?’ video tells that many of its IP addresses belong to Amazon servers. You can also take a look at the aforementioned video, which was my inspiration for this topic. It’s a really good and revealing analysis.

When we look at the number of connections here, we can see that there are a lot of connections and unfortunately it’s not encouraging. I thought to myself that this is an exaggeration and I wanted to check it for the Epic Games app installed on my PC and here is the result:

As you can see, there is less connection compared to the RIOT Client app. So we can see that the RIOT Client is really sending a lot of data.

I then turned my attention to the .sys file and took a brief look at vgk.sys via Process Explorer:

We can also check the status of vgk.sys faster with the driverquery tool:

But there is a problem - i think. Right now, no RIOT app runs on the operating system - not even in the background. This also applies to Riot Vanguard:

In my operating system, i turned off RIOT services at the beginning. However, I saw that vgk.sys is running.

Although RIOT’s article states that it already runs in the background, it is highly unlikely that this kernel driver will still run in the background even if all RIOT-related applications are closed. If the game is completely closed, what can software that protects me from cheating in games protect me from?

I’d like to continue my research by addressing the part mentioned above by Arkhem, the former leader of Vanguard:

“Yes we run a driver at system startup, it doesn’t scan anything (unless the game is running), it’s designed to take up as few system resources as possible and it doesn’t communicate to our servers. You can remove it at anytime."

He says that the software can be uninstalled at any time. After reading this again, I uninstalled Vanguard, then rebooted the OS and checked that vgk.sys was still on the system and the result:

Indeed, when the Vanguard software is uninstalled, vgk.sys is removed from the system. We have confirmed this.

Analyzing the vgk Driver

I was going to start a close analysis of the vgk.sys driver, but unfortunately I couldn’t pursue it because I found out that RIOT doesn’t allow us to analyze vgk.sys in any way.

At first, I installed the VALORANT game in the virtual machine and after rebooting the system I noticed that the VANGUARD software was not starting. I tried various ways thinking that it might be a bug, but it’s didn’t work:

This is because the vgk.sys driver is not initialized. I noticed that if valorant is installed in any virtual machine, then vgk.sys will be not initialized. Also if debugging is enabled in the operating system, vgk.sys is not run. So even if you enable debugging to analyze the vgk.sys file running on your host machine, it will disable itself.

Since I couldn’t go to the dynamic analysis, I decided to go to the static analysis and I wanted to take a look at the functions used by the .sys file:

When we took a look at the APIs, I noticed that the vgk.sys driver uses APIs that allow the player to control the computer’s operating environment, obtain the system clock and system directory. Of course, since we cannot perform dynamic analysis, we cannot know what these are used for.

If you want to take a look at the full list of functions, here’s the list:

ZwClose	
KeInitializeSpinLock	
KeAcquireSpinLockAtDpcLevel	
KeAcquireSpinLockRaiseToDpc	
KeReleaseSpinLock	
KeReleaseSpinLockFromDpcLevel	
ExAllocatePoolWithTag	
KeLowerIrql	
KfRaiseIrql	
KeInitializeDpc	
KeInitializeTimer	
KeSetTimer	
MmMapLockedPagesSpecifyCache	
MmUnmapLockedPages	
MmAllocatePagesForMdl	
MmFreePagesFromMdl	
IoFreeMdl	
IoAllocateWorkItem	
IoQueueWorkItem	
IoInitializeWorkItem	
RtlDuplicateUnicodeString	
ObfDereferenceObject	
KeBugCheckEx	
_stricmp	
__C_specific_handler	
KeIpiGenericCall	
ExFreePoolWithTag	
ProbeForRead	
IoGetCurrentProcess	
wcscpy_s	
RtlInitUnicodeString	
RtlTimeToTimeFields	
KeAreAllApcsDisabled	
ExSystemTimeToLocalTime	
ZwWriteFile	
IoCreateFileEx	
ZwFlushBuffersFile	
swprintf_s	
vswprintf_s	
_vsnwprintf	
KeInitializeApc	
KeInsertQueueApc	
wcscat_s	
ZwReadFile	
ZwQuerySystemInformation	
IoGetStackLimits	
strchr	
RtlPrefixUnicodeString	
RtlMultiByteToUnicodeN	
MmHighestUserAddress	
ObReferenceObjectByHandle	
IoFileObjectType	
strnlen	

Conclusion

Based on the analysis of the behavior of Vanguard’s driver, vgk.sys, I think that the Valorant game is closer to being spyware. However, this conclusion can be confirmed or refuted by deeper analysis. I also think that RIOT should be more transparent about this issue. In particular, it is important that they provide more information about what Vanguard does and how it works. I think RIOT should adopt a more open communication policy to address users’ privacy and security concerns.

References

• [1] - University of HELSINKI: Comparative Study of Anti-cheat Methods in Video Games
• [2] - Schellman: Understanding Anti-Cheat
• [3] - TheRegister: Gaming co ESEA hit by $1m fine for hidden Bitcoin mining enslaver
• [4] - EN Wikipedia: Riot Games