Anti-Cheat systems in games
This is the blog series about anti-cheat systems in games which I would like to start from brief introduction on what topics we will cover.
What is an anti-cheat?
Anti-cheats are often used to prevent malicious access to our game process and network. There is a lot of attack vectors that attacker could use in order to achieve some in-game advantages or, simply put, disrupt experience from gameplay for other players (in some cases attacker could even grief). Lets divide and review those vectors into five main domains:
- Memory manipulation
- Code injection
- Macro cheats
- Network MITM (man-in-the-middle) proxy
- Hardware cheats
Memory manipulation
A lot of readers probably used CheatEngine, ArtMoney or simple trainers for games in order to gain some gold or get some other advantage in a single player games. All those programs are finding some values in target process memory by using predefined addresses (when addresses are static) or by finding those addresses using some techniques (such as signature scanning or simple value lookup in memory). Also, it is possible that attacker will alternate executable code in memory in order to skip some checks or even replace code blocks with malicious one.
Code injection
This type of cheats is injecting it's code into the game. It could be shell code injection (simple code bytes that are written directly into process memory) or dll injection. Code injection could be used to completely change behavior of the game code: function could be detoured (or hooked, if you prefer to call it like that), additional functionality could be implemented. Basically, when attacked has successfully injected code into our process - we're done, it's game over because attacker has now almost full control over the game.
Macro cheats
Those are simple macros that can be used to automate user input. It could be skill macros which will press buttons for player. Or it could be macro for weapon recoil compensation which will give an advantage to the attacker.
Network MITM proxy
Man-In-The-Middle proxy is used for network traffic sniffing and/or modification. Basically, attacker could have such cheat even on a smartphone since it doesn't interact with game process at all. The most obvious cheat that could be implemented using MITM proxy is radar which will show all players (or other any replicated entities) on the device screen.
Hardware cheats
This is the most advanced and stealth cheats that exists. Basically, those are special devices that could be plugged into PCIe slot and read/write memory directly without even OS installed on a target PC.
Conclusion
Most cheats aren't really unique and could be divided into those 5 categories. With this knowledge we could start to develop strategy of detection/protection of each of those. In the next topics we will start to implement our own anti cheat which will protect our game against those threats.
Whilst we could protect our game using general-purpose anti-cheat (like the one we will implement), it is still highly recommended to implement server-side checks for everything that player does.