While the lite version of Scout provides some level of protection from common exploits, an experienced game hacker (one that does hacking for a living) will be able to circumvent the protections with ease given the nature of user mode anti-cheats.
User Mode vs Kernel Mode #
In computer science, protection rings are mechanisms to protect application data and code instructions from accidental corruption and malicious behavior. Operating systems provide special privileges to each ring which allows each ring to serve a particular purpose to the best of it’s ability in a safe manner.
Ring 3 #
In Ring 3 you will find most of your common applications executing. This is where your game will execute.These applications may or may not be trusted by the system via a code signing certificate.
In this ring, processes are not given direct access to the resources allocated to other processes nor access to system memory. In order to access another processes’ resources, one must invoke particular exported NTAPIs (Native Application Programming Interface) that will flip the CPU mode from user mode to supervisor mode, execute the trusted and secure instruction set, swap back to user mode and return the result.
Ring 1 & 2 #
Ring 1 & 2 is used for device drivers, such as the driver required to print a photo to your printer. These rings are not used particularly often. The vast majority of applications will execute in Ring 3, and those that don’t typically execute in Ring 0.
Ring 0 #
Ring 0 is the most privileged ring. This is were the operating system itself executes.
Drivers executing at this level are required to have a Microsoft issued code signing certificate. In order for the OS to run with secure boot enabled, the certificate must be of the extended validation variety which require developers to submit personal documentation, adhere to particular code development guidelines and upload their binaries to a Microsoft developer portal which will enqueue the binaries for a signature by Microsoft.
Code executing at Ring 0 is given nearly unfiltered access to the virtual address spaces of all executing processes as well as the ability to invoke any kernel function, exported or not.
Scout Lite is a User Mode anti-cheat #
The lite version of scout executes within your game’s process and therefore resides in user mode (Ring 3) space. Therefore, cheat developers who have advanced into Ring 0 will be able to bypass some of the protections we’ve included with Scout Lite.
All is not lost although! Given that Scout Lite is designed for single-player games, it’s highly unlikely that any person will jump through the hoops required to create an application in Ring 0 to simply rob themselves of the entertainment your game has to offer. This is the key thing to understanding anti-cheats; it’s next to impossible to 100% secure a game by any anti-cheat executing at even the highest privilege levels. The goal is to make it difficult enough that it’s not worth it to a cheater at as little of a performance hit as possible. In single player games, they’re only harming themselves whereas multiplayer games are a whole other situation.
Scout Lite will stop your average cheater from being tempted to ruin their own experience and encourage a continued time investment into your game.