Guide for understanding anti-cheat systems and bypass techniques. Use this skill when researching game protection systems (EAC, BattlEye, Vanguard), anti-cheat architecture, detection methods, or bypass strategies.
Content & Writing
2.7K Stars
377 Forks
Updated Feb 25, 2026, 02:39 AM
Why Use This
This skill provides specialized capabilities for gmh5225's codebase.
Use Cases
Developing new features in the gmh5225 repository
Refactoring existing code to follow gmh5225 standards
Understanding and working with gmh5225's codebase structure
---
name: anti-cheat-systems
description: Guide for understanding anti-cheat systems and bypass techniques. Use this skill when researching game protection systems (EAC, BattlEye, Vanguard), anti-cheat architecture, detection methods, or bypass strategies.
---
# Anti-Cheat Systems & Analysis
## Overview
This skill covers anti-cheat systems used in games, their detection mechanisms, and research techniques. Understanding anti-cheat helps both defenders (game developers) and security researchers.
## Major Anti-Cheat Systems
### Easy Anti-Cheat (EAC)
- Kernel-mode driver protection
- Process integrity verification
- Memory scanning
- Used by: Fortnite, Apex Legends, Rust
### BattlEye
- Kernel driver with ring-0 access
- Screenshot capture capability
- Network traffic analysis
- Used by: PUBG, Rainbow Six Siege, DayZ
### Vanguard (Riot Games)
- Always-on kernel driver
- Boot-time initialization
- Hypervisor detection
- Used by: Valorant, League of Legends
### Valve Anti-Cheat (VAC)
- User-mode detection
- Signature-based scanning
- Delayed ban waves
- Used by: CS2, Dota 2, TF2
### Other Systems
- **PunkBuster**: Legacy FPS anti-cheat
- **FairFight**: Server-side statistical analysis
- **nProtect GameGuard**: Korean anti-cheat solution
- **XIGNCODE3**: Mobile game protection
- **ACE (Tencent)**: Chinese market protection
## Detection Mechanisms
### Memory Detection
```
- Signature scanning for known cheats
- Code integrity verification
- Injected module detection
- Memory modification monitoring
```
### Process Detection
```
- Handle enumeration
- Thread context inspection
- Debug register monitoring
- Stack trace analysis
```
### Kernel-Level Detection
```
- Driver verification
- Callback registration monitoring
- System call hooking detection
- PatchGuard integration
```
### Behavioral Analysis
```
- Input pattern analysis
- Movement anomaly detection
- Statistical improbability flagging
- Network packet inspection
```
## Anti-Cheat Architecture
### User-Mode Components
- Process scanner
- Module verifier
- Overlay detector
- Screenshot capture
### Kernel-Mode Components
- Driver loader
- Memory protection
- System callback registration
- Hypervisor detection
### Server-Side Components
- Statistical analysis
- Replay verification
- Report processing
- Ban management
## Research Techniques
### Static Analysis
1. Dump and analyze AC drivers
2. Reverse engineer detection routines
3. Identify signature patterns
4. Map callback registrations
### Dynamic Analysis
1. Monitor system calls
2. Track driver communications
3. Analyze network traffic
4. Debug with hypervisor tools
## Bypass Categories
### Memory Access
- Physical memory read/write
- DMA-based access
- Hypervisor memory virtualization
- Driver-based access
### Code Execution
- Manual mapping
- Thread hijacking
- APC injection
- Kernel callbacks
### Detection Evasion
- Signature mutation
- Timing attack mitigation
- Stack spoofing
- Module hiding
## Security Features Interaction
### Windows Security
- Driver Signature Enforcement (DSE)
- PatchGuard/Kernel Patch Protection
- Hypervisor Code Integrity (HVCI)
- Secure Boot
### Virtualization
- VT-x/AMD-V detection
- Hypervisor presence checks
- VM escape detection
- Timing-based detection
## Ethical Considerations
### Research Guidelines
- Focus on understanding, not exploitation
- Report vulnerabilities responsibly
- Respect Terms of Service implications
- Consider impact on gaming communities
### Legal Aspects
- DMCA considerations
- CFAA implications
- Regional regulations
- ToS enforcement
## Resources Organization
### Detection Research
```markdown
- Anti-cheat driver analysis
- Detection routine documentation
- Callback enumeration tools
```
### Bypass Research
```markdown
- Memory access techniques
- Injection methods
- Evasion strategies
```
### Tools
```markdown
- Custom debuggers
- Driver loaders
- Analysis frameworks
```
---
## Data Source
**Important**: This skill provides conceptual guidance and overview information. For detailed information use the following sources:
### 1. Project Overview & Resource Index
Fetch the main README for the full curated list of repositories, tools, and descriptions:
```
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md
```
The main README contains thousands of curated links organized by category. When users ask for specific tools, projects, or implementations, retrieve and reference the appropriate sections from this source.
### 2. Repository Code Details (Archive)
For detailed repository information (file structure, source code, implementation details), the project maintains a local archive. If a repository has been archived, **always prefer fetching from the archive** over cloning or browsing GitHub directly.
**Archive URL format:**
```
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/archive/{owner}/{repo}.txt
```
**Examples:**
```
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/archive/ufrisk/pcileech.txt
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/archive/000-aki-000/GameDebugMenu.txt
```
**How to use:**
1. Identify the GitHub repository the user is asking about (owner and repo name from the URL).
2. Construct the archive URL: replace `{owner}` with the GitHub username/org and `{repo}` with the repository name (no `.git` suffix).
3. Fetch the archive file — it contains a full code snapshot with file trees and source code generated by `code2prompt`.
4. If the fetch returns a 404, the repository has not been archived yet; fall back to the README or direct GitHub browsing.
### 3. Repository Descriptions
For a concise English summary of what a repository does, the project maintains auto-generated description files.
**Description URL format:**
```
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/description/{owner}/{repo}/description_en.txt
```
**Examples:**
```
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/description/00christian00/UnityDecompiled/description_en.txt
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/description/ufrisk/pcileech/description_en.txt
```
**How to use:**
1. Identify the GitHub repository the user is asking about (owner and repo name from the URL).
2. Construct the description URL: replace `{owner}` with the GitHub username/org and `{repo}` with the repository name.
3. Fetch the description file — it contains a short, human-readable summary of the repository's purpose and contents.
4. If the fetch returns a 404, the description has not been generated yet; fall back to the README entry or the archive.
**Priority order when answering questions about a specific repository:**
1. Description (quick summary) — fetch first for concise context
2. Archive (full code snapshot) — fetch when deeper implementation details are needed
3. README entry — fallback when neither description nor archive is available
