Honest question: do you segment your activities on your computer on different users?
No? In which case, what practical spyware risk does a kernel level driver add that user mode software can’t do?
User mode software can spy on your clipboard, surreptitiously take screenshots, and take data out of your system. That spooks me enough that, if I don’t trust a software manufacturer, I don’t install it. Kernel mode makes no practical difference in my security posture.
The point it, you don't need a kernel driver to access most of your data. Just a user space process can go read all your files and memory of processes of the same user.
> User mode software can spy on your clipboard, surreptitiously take screenshots, and take data out of your system
Not on any properly secured Linux machine. But yes, it's generally a bad idea to install software you don't trust, a category that anticheats slot nicely into, given their resistantance to auditing and analysis.
A properly secured Linux machine is a unicorn. The Linux desktop ecosystem is struggling a lot with putting software in namespaces. People still install software with their package managers outside Flatpak, there is no isolation of data, not to say many workflows depend on the whole user directory being available to access.
This is adjacent to how Linux users claim their default system is inherently more malware-resistant than Windows, when either way you're trusting anything you run in user space with almost everything important.
For starters:
- Creating a unique ID that is directly bound to hardware.
- Accessing the memory of any process, including browsers or messengers.
- Installing persistent background processes that are hidden from the rest of the system.
But I think that's the wrong question. Talking about the kernel driver is a distraction.
The abuse scenario that I think is most likely would be that the game and/or anticheat vendor uses the hardware ID for user profiling instead of just ban enforcement, and that the "logging" functionality is coopted to detect software or activities that aren't related to cheats at all, but are just competition of the vendor or can once against be used for profiling, etc.
None of that strictly requires a kernel driver. Most of that stuff could be easily done with a usermode daemon. But under normal circumstances, there is no way I'd install such a program. Only in the name of cheat prevention, suddenly it gets permissible to make users install that stuff if all they want to do is play some game.