What is a Kernel Cheat?

A kernel cheat is the software-only equivalent of a DMA cheat — both seek to operate outside the reach of conventional anti-cheat scanning, but a kernel cheat does it through Windows itself rather than through a separate computer. Where DMA cheats use a second PC and a PCIe card, a kernel cheat runs as a Windows driver on the same machine and uses the kernel's privileges to hide from user-mode and even some kernel-mode anti-cheat scanning.

Why kernel cheats exist

The first generation of cheats ran entirely in user mode — DLLs injected into the game process, hooks installed in the game's API surface. Anti-cheats responded by adding kernel components (Easy Anti-Cheat's EasyAntiCheat_EOS.sys, BattlEye's BEDaisy.sys, Riot's vgk.sys) that ran with ring-0 privileges and could scan everything in user mode while remaining invisible to user-mode scanning. Cheat developers responded by going kernel-mode themselves so they would have the same privilege level as the anti-cheat and could hide their data from anti-cheat scanning the same way the anti-cheat hides its data from user-mode cheats.

How a kernel cheat works

A kernel cheat is implemented as a Windows kernel-mode driver (.sys file). It is loaded into the system via one of three paths:

• Signed driver load — the cheat ships with a valid Microsoft-signed certificate (rare, expensive, and risky for the signer)
• Manual mapping — the cheat exploits a vulnerability in an existing signed driver (a "BYOVD" — bring your own vulnerable driver — pattern) to load unsigned cheat code into the kernel
• Test-signing mode — the user enables Windows test signing and loads a self-signed cheat driver; this trips Vanguard and several anti-cheats and is rarely used in 2026

Once loaded, the cheat driver can read and write the game's memory using kernel-mode APIs (MmCopyVirtualMemory, MmMapIoSpace), hide its own presence from anti-cheat scans by hooking the kernel-mode functions anti-cheats use to enumerate drivers and processes, and communicate with a user-mode component (the cheat menu) via secure IRP channels.

Common kernel-cheat capabilities

• Read game memory without using user-mode ReadProcessMemory (which kernel anti-cheats monitor)
• Hook the game process's threads from kernel mode to inject input
• Hide the cheat driver from EnumDeviceDrivers, the loaded-module list, and PsActiveProcessList
• Block anti-cheat scan IRPs targeting the cheat driver
• Survive anti-cheat callbacks that try to terminate the cheat at boot

How anti-cheats detect kernel cheats

Kernel anti-cheats fight kernel cheats on the same playing field. The primary detection lanes are:

• Driver signature scanning — Riot Vanguard, EAC, and BattlEye scan loaded drivers against vendor-curated blocklists. Known cheat driver signatures fail load instantly.
• Vulnerable driver detection — Microsoft's vulnerable driver blocklist (managed by Vulnerable Driver Blocklist policy) is enforced by Vanguard and increasingly by EAC; loading a known BYOVD driver gets blocked at the OS level
• HVCI / HyperGuard — Hypervisor-protected Code Integrity enforces that kernel code pages be signed and immutable, blocking many kernel cheat injection techniques
• TPM 2.0 attestation — chip-level boot integrity reports any kernel modification; covered in Microsoft Remote Attestation

2026 detection landscape

Kernel cheats are still viable in 2026 but the bar has risen substantially. HVCI is enabled by default on most modern Windows 11 installs; Microsoft Pluton adds chip-level integrity for newer hardware; Vanguard's HyperGuard-style hypervisor approach is moving toward operating-system-level cheat protection. New cheat drivers require active BYOVD research to find vulnerable signed drivers that aren't yet on the blocklist. Many cheat vendors have abandoned the kernel-cheat lane entirely in favor of DMA hardware or behavioral-evasion strategies. RawCheats products use kernel components only where required for protection — the rest is user-mode with discipline. Pair with our HWID spoofer pillar for the underlying identity layer.