In my last post I defined ESP and briefly touched on how it works. In this post, I’ll break down the technical details of how an ESP cheat is designed, and how it’s used to reveal game data. Think of developing this cheat as performing an exfil operation, a mission to discover player names, player health, coordinates and other data to extract from the game’s protected memory space. This is all done from the inside: in order to pull this heist off, a kernel mode driver is deployed within Ring 0, the most powerful and privileged level of an operating system. Here’s how it’s done in Windows.

Finding The Target: Getting The Process ID

Something to take note of is that the kernel driver requires the target process to even begin this special operation. Along with ESP there is an overlay that is drawn overtop of the game application’s window. This overlay always operates in user mode; because all of the graphics functionality is handled by user mode APIs, like DirectX, and are restricted from living in the kernel. This user mode overlay uses a function like FindWindowA, to find the game’s (myFavoriteFPS.exe) main window, which returns a unique handle. It then passes that information to a second call, GetWindowThreadProcessId, to get the process id of the game and sends both the handle and the process id to the kernel driver.

You might think that this is risky and could end up triggering anti-cheat software, but that isn’t true. There are tons of legitimate applications that use the same functions to find and draw overlays on top of the game windows, like Discord, screen recorders like OBS, and accessibility tools. So this behavior flies under the radar.

Hacking to get the key to the castle — *Image credit: Julien Jorge*

Breaking In: Getting An All Access Key

Now that the driver has access to the process id, it does something that a normal, unprivileged application can’t do: gain access to the game’s protected memory space. This is where the kernel driver comes into play. The driver uses its privileged access to make a direct call to the operating system’s kernel (PsLookupProcessByProcessId) to get a pointer to a kernel management object, a structure for the game process, called EPROCESS. Since the driver is also sitting in Ring 0, the kernel gives it away. This structure is the key that grants access to the process’s virtual memory, the internal representation of the game, which can’t be accessed from user mode.

Doing Recon: Defeating Address Space Layout Randomization (ASLR)

The next obstacle is ASLR, a security feature that loads data into a randomized memory address every time the game starts up. But wait, how is it possible to find the data if it always moves around? Don’t exploit techniques like ROP have to be used? Nope, because the driver has kernel access!

In order to bypass ASLR the driver just performs a bit of reconnaissance. It takes the newly discovered EPROCESS and passes it to PsGetProcessSectionBaseAddress to ask the OS kernel, “Hey, where’d you put the game data?” then the kernel responds with the random base address for the current session. I discovered this function by doing some deep googling and found that it is actually undocumented and may not exist in the same form in all versions of the Windows kernel. However cheat devs take time to reverse engineer the image ntoskrnl.exe, as well as consult with the cheat development community to figure out how it works. So if the call to this function is successful, it allows the driver to continue on.

How to Find Treasure: Pointer Chain Traversal

pointer to treasure — *Image credit: Imogia games*

Now that the base address has been revealed, the driver has to navigate the game’s complex virtual memory to extract the game data. To do this, developers must reverse engineer the game offline in order to map out its internal data structures. With help from debuggers and disassemblers, and the cheat development community, the devs build a treasure map out of a discovered sequence of static offsets, called a pointer chain, to find these data structures. This map allows the driver to go from the base address of the game to the crown jewels, the exact memory locations of critical game data such as the entity list, player objects and the game's view matrix. This also allows for the creation of the aimbot cheat.

Driver using pointer chain traversal to discover player 1’s health value

The Exfil: Using Privilege Access to Read Game Data

Now that the driver has calculated the final memory address, the necessary details (such as enemy 3D coordinates, entity lists, player names), it steals this data right from the game. It uses another privileged kernel function (MmCopyVirtualMemory) to read from this address and extract it. The data goes into the driver’s own buffer. All of this is completely invisible to user mode security software and isn’t resource intensive. The buffer now contains live game data, intel that is secretly passed to a user mode overlay application displaying this information to a cheating player: ESP.

The End?

I’ve explained how kernel mode cheat drivers work and how they’re used to steal data from a game. After reading this, you probably realize that the feat of making kernel level cheats is not simple. All of these steps require a deep understanding of concepts such as low level systems programming, the inner workings of operating systems, a solid foundation in computer science, and reverse engineering. Cheat developers spend years studying and learning these arts. Some have access to information that isn’t necessarily taught in school.

This knowledge isn’t unique to cheat devs; there are ethical hackers in this digital arms race too! For every exploit, novel detection and prevention mechanisms are being developed. At Boss Level Security our engineers and researchers are dedicated to pioneering next-gen anti-cheat defenses to prevent cheaters from ruining our favorite games.

This effort requires a united front. If you are a game developer, a security researcher, or an anti-cheat team that shares the passion of solving complex security challenges, we want to collaborate. So let’s team up!

Contact us if you’d like to join us in this battle!

After reading this, you might be thinking, well how does anti-cheat currently fight back against cheaters? In my next blog post I’ll dive into it.

Kernel Cheats vs Anti-Cheat: How Devs Make ESP