- Game Name
- Source Engine games
- Anticheat
- Valve Anticheat duh
- How long you been coding/hacking?
- 4 Years
- Coding Language
- N/A
VAC or Valve AntiCheat is software running on the client and server that attempts to detect cheaters. It is made by Valve and has been around since the early days of Counter Strike, most known for it's usage in CSGO but, is also used in other Source Engine games. VAC is a usermode anticheat, it does not have a kernel mode driver, It's primary detection mechanism is signature scanning for known cheats. Here you will find a list of compiled information from the forum about how Valve Anticheat works and how you can bypass VAC.
This anticheat guide features:
We answer the same 3 questions about VAC at least once per week, please just read this information instead of annoying us.
Important VAC Update July 2020
Valve has been actively updating VAC in CSGO this month. Over the years new competitive shooters like Apex, Overwatch & others have been released with either strong anticheat or kernel anticheat and these games have fewer cheaters than CSGO due to VAC being worthless. Now Valorant which is very similar to CSGO has been released with a very good kernel anticheat. 30% of CSGO players are cheating, and now that alternatives are available people are leaving CSGO. This has forced Valve to improve VAC, this month some of the largest changes that have ever happened to VAC are being rolled out and I assume more will come soon.
CSGO is now starting in Trusted Mode by default
Use the -insecure launch argument to practice and develop your hack in a local bot match. After being sure you are able to bypass VAC, launch with Trusted Mode later.
CSGO is now blocking DLLs from being injected using LoadLibrary - DLLs that interact with CSGO must now be digitally signed
To bypass this all you need to do is use Manual Mapping - try the GH Injector's special features.
How to bypass VAC
It's really easy. You do not need to ask us how to bypass it. Just read these few paragraphs and you'll be bypassing VAC in 5 minutes.
VAC is honestly a joke, if you're just learning how to hack don't worry about VAC. Just learn how to hack and write cheats for CSGO, if you get banned just create a new account, the game is free. Stop asking "how to bypass VAC" it's the dumbest question. All you have to do is follow the steps written above.
If you enjoy the content you find here on GH, please considering donating.
VAC Detects VMT Hooking
There is a good amount of evidence that VAC detects VMT hooking, to bypass this just use a regular detour/trampoline hook. Or if you want to be extra safe, do a mid function hook (regular detour, not located at the first byte of the function) so you're not easily detected by checking the first byte of the function.
Is WriteProcessMemory detected?
Everything is detectable, the real question is: will you get banned for using it? No you won't, so just use it and stop asking.
Is _________________ detected by VAC?
VAC is actively scanning all your running processes, files, registry keys & more. If they want to know everything that's happening in usermode, they have no problem doing it. Everything in usermode can be detected by VAC. It doesn't matter if VAC is capable of detecting something. The only thing that matters is: are they banning people for it.
Do I need to use kernel mode to bypass VAC?
NO! VAC is a usermode anticheat. There is no reason to go into kernel unless you want to. It's complete overkill.
Insecure Mode
The first thing you must do when creating hacks is to set the game in insecure mode. This is done by adding the "-insecure" command line option to your desktop shortcut. Once this is done you can develop your hack or use Cheat Engine on the game without worrying about being banned. In insecure mode you cannot join secure servers.
or
How to bypass VAC?
There is no magic trick or download we can give you to instantly bypass anticheat. If you have been game hacking for less than 6 months, you have no business asking about anticheat. You cannot even understand because you do not have the required knowledge to do so. Learn how to hack first for a few months before even thinking about bypassing anticheat, you can learn everything from The Game Hacking Bible.
Here's a great quote from c5 regarding VAC:
The issue with incapacitating VAC are its heuristics and diversity of checks. It does a lot of cross checking, lies on different techniques on achieving the same task, etc. Besides, some things are only triggered when a specific flag is raised, so even if you might think you have bypassed or caught some of its methods in action, another path can be taken and your efforts countered.
At the end of the day though, you can lie to, emulate or disable anything that's running on your PC. People have emulated anticheats before, disabled them, altered scan results, hidden cheats from them, etc. It can simply get very tedious and not worth the time at all, especially if all you want to actually do is simply bunnyhop around the map.
c5 is 100% right. If you're just making cheats for yourself like the other 100,000 that are doing so, there is nothing to worry about, VAC is a joke. But it does have the capability to do much more than they use it for.
VAC's Capabilities
While VAC is loaded it has the capability of and has been seen:
Valve Anticheat does it basic run of the mill scanning on every client. But, if it finds something that looks sketchy like a hook, it will do a more thorough analysis and it will upload what it finds to the Valve servers. This information can have an affect on your Trusted rank or result in a ban in the future.
VAC Modules
VAC's modules are streamed to the client from the server, they don't exist on disk on your computer at any time but you can dump them if you know how. You can look at VAC as a series of module or as lists of features organized by purpose. The best resources for understanding VAC in depth are:
Vac's Modules according to Daniel Krupinski
Advanced VAC Bypassing
If you're distributing a pay cheat you will want to reverse VAC yourself and periodically dump the modules and compare. If VAC updates, you need to know what they changed.
If you're distributing a pay cheat, in addition to our list above, you should:
How does VAC protect itself?
VAC modules are streamed from the server, it does not hit disk. IAT is encrypted, strings are encrypted
VAC Detection Mechanisms
Signature Detection
Using various heuristics VAC can find suspicious code and upload the modules to their server for manual or automatic analysis. VAC doesn't have time to analyze every single cheat, they prioritize cheats that are used by many clients, the less people using it the less likely they will build signatures for it. They build signatures for the code, just like we do when pattern scanning or AOB scanning in Cheat Engine. VAC can use any part of your hack to build unique signatures including file hash, strings, PE header, window titles, PDB path's etc...
They scan the game's process as well as any other running process for these signatures, if the signature is found they know you're cheating and can ban you in the next ban wave.
VAC uses VirtualQuery() to find executable memory and scan the game process for memory pages that are executable, if these pages were not allocated by the game process it's obvious this is injected code and maybe a cheat. That's the first step to VAC sig scanning, it's gotta find the executable memory first because code makes the best unique signatures.
Hook Detection
VAC can detect all hooks, but we know they are very ban happy when it comes to VMT & IAT hooks.
They specifically scan for hooks in these Windows API functions:
File Integrity Checks
All hacks must be done at runtime, important files are checked for integrity. Patching the files on disk is a no no.
VAC Enumerates all running Processes
VAC uses EnumProcesses to find all processes and does further scanning of these processes. This is the beginning of it's external hack process detection. Hiding your external hacks and injectors from EnumProcesses is the first step. They can't build sigs for something they can't see right?
EnumWindows & EnumChildWindows & GetWindowText
If you have a suspicious external process they will find the windows associated with them and get the window title. They make a hash of your window names and compare against known cheat window names. They also grab the window style, size & location which makes for easy external overlay detection. Maybe make your overlay larger than the game window and then offset all your drawing to the right position. Making your overlay the exact size of the game window is a dead giveaway it's an overlay cheat.
File Hashing
VAC creates files hashes for all running files or files recently touched by the OS and compares it against known cheat file hashes.
You can easily change file hash by simply adding bytes at the end of the file with any hex editor, of course you can automate that. This only prevents file hash signature detection.
VAC calls NtQueryInformationProcess()
Using ProcessBasicInformation it gets the address of the PEB. Using the PEB is the lowest usermode way of querying a process, by doing this it bypasses any patching/hiding you've done to other higher level documented APIs.
NtFsControlFile() & USN Change Journals
VAC scans the disk for every file that has recently been touched by the operating system, including deleting, renaming, creation & overwriting. Good luck hiding from that
To bypass this mambda suggests hooking NtFsControlFile()
Manual Mapping
Manual Mapping defeats many module detection methods that VAC and other anticheat have such as:
VacNet: Server Side Machine Learning to find cheaters based on statistics.
How VAC Bans Work
Valve AntiCheat bans in waves usually, you could be banned hours, days weeks or months after using a detected cheat. If it's a public cheat, you can guarantee you will get VAC banned if you use it after they build signatures for it which only takes maybe a week or 2 in most cases. If you haven't been banned within 4 weeks you're probably okay.
VAC doesn't do IP or HWID bans. Every time someone gets banned, they buy a new account, making Valve tons of money so they will never do this. If you get banned, make a new steam account. But HWID and IP are used for Trust Factor, if they detect a new account from a computer with multiple bans, your trust factor will be penalized.
Junk Code / Polymorphic Code
Adding junk code to your hack will change the file hash, and avoid detection based on file hash. You can also simply do this by adding bytes to the end of the file. But VAC also hashes the code sections, so junk at the end of the file won't work, but adding junk code will actually solve this problem. Junk code is just code that does nothing in your hack, you can put any code you want in there as long as it doesn't modify the functionality of the hack logic.
BUT adding a few pieces of junk code will not bypass signature detection, only hashing.
You need to use polymorphism to bypass signature detection. Polymorphism will change the assembly at almost every byte, ruining all possible signatures. Read our guide on polymorphic code here
Or just completely bypass VAC so it can't even sig scan you.
CSGO Overwatch
Overwatch is a crowd sourced moderation system, if you get too many reports, demos of your gameplay will be reviewed by other players. If the majority of other players file their Overwatch reports with the opinion that you are violating the rules, your overwatch reputation will decrease and it will eventually result in a ban.
CSGO Match Making & Trust Factor
Griefers and cheaters will have a lower trust factor, this is based on many things including Overwatch reports. Match Making matches people with high trust factor with other similar players. Conversely it puts cheaters and other people with low trust factor in the same matches.
Trust Factor is tied to HWID/IP, if you get banned and make a new account, some of your old Trust Factor will make it to your new account.
Learn more about Overwatch, Match Making & Trust Factor: #1, #2 & #3
Additional GH VAC Resources:
mambda's Original VAC Writeup
c5's VAC Reverse Engineering IDA Scripts
Offsite VAC Resources:
VAC Source Code
Developments | Cra0kalo's Development Adventures
Valve Anti-Cheat - unkn0wnch3ats Game Hacking Wiki
zyhp/vac3_inhibitor
danielkrupinski/VAC-Bypass
Continue reading the rest of the thread for more info...
Please contribute to this guide by providing corrections & additions, hitting the "Like" button or donating
Thank you to the contributors to this guide:
@mambda @XdarionX @KF1337 @ZleMyzteX
This anticheat guide features:
- An explanation of the new VAC updates from 2020
- The 5 simple steps you need to take to bypass VAC
- A brief overview of VAC's modules
- A more in depth look at VAC's capabilities
- A collection of VAC related resources

We answer the same 3 questions about VAC at least once per week, please just read this information instead of annoying us.
Important VAC Update July 2020
Valve has been actively updating VAC in CSGO this month. Over the years new competitive shooters like Apex, Overwatch & others have been released with either strong anticheat or kernel anticheat and these games have fewer cheaters than CSGO due to VAC being worthless. Now Valorant which is very similar to CSGO has been released with a very good kernel anticheat. 30% of CSGO players are cheating, and now that alternatives are available people are leaving CSGO. This has forced Valve to improve VAC, this month some of the largest changes that have ever happened to VAC are being rolled out and I assume more will come soon.
CSGO is now starting in Trusted Mode by default
Use the -insecure launch argument to practice and develop your hack in a local bot match. After being sure you are able to bypass VAC, launch with Trusted Mode later.
CSGO is now blocking DLLs from being injected using LoadLibrary - DLLs that interact with CSGO must now be digitally signed
To bypass this all you need to do is use Manual Mapping - try the GH Injector's special features.
How to bypass VAC
It's really easy. You do not need to ask us how to bypass it. Just read these few paragraphs and you'll be bypassing VAC in 5 minutes.
- Manually Map your DLL
- Do not use public downloads and source codes
- Write everything yourself, do not share your hack
- Do not use VMT Hooking, use a regular detour / trampoline hook
- Don't rage
VAC is honestly a joke, if you're just learning how to hack don't worry about VAC. Just learn how to hack and write cheats for CSGO, if you get banned just create a new account, the game is free. Stop asking "how to bypass VAC" it's the dumbest question. All you have to do is follow the steps written above.
If you enjoy the content you find here on GH, please considering donating.
VAC Detects VMT Hooking
There is a good amount of evidence that VAC detects VMT hooking, to bypass this just use a regular detour/trampoline hook. Or if you want to be extra safe, do a mid function hook (regular detour, not located at the first byte of the function) so you're not easily detected by checking the first byte of the function.
Is WriteProcessMemory detected?
Everything is detectable, the real question is: will you get banned for using it? No you won't, so just use it and stop asking.
Is _________________ detected by VAC?
VAC is actively scanning all your running processes, files, registry keys & more. If they want to know everything that's happening in usermode, they have no problem doing it. Everything in usermode can be detected by VAC. It doesn't matter if VAC is capable of detecting something. The only thing that matters is: are they banning people for it.
Do I need to use kernel mode to bypass VAC?
NO! VAC is a usermode anticheat. There is no reason to go into kernel unless you want to. It's complete overkill.
Insecure Mode
The first thing you must do when creating hacks is to set the game in insecure mode. This is done by adding the "-insecure" command line option to your desktop shortcut. Once this is done you can develop your hack or use Cheat Engine on the game without worrying about being banned. In insecure mode you cannot join secure servers.

How to bypass VAC?
There is no magic trick or download we can give you to instantly bypass anticheat. If you have been game hacking for less than 6 months, you have no business asking about anticheat. You cannot even understand because you do not have the required knowledge to do so. Learn how to hack first for a few months before even thinking about bypassing anticheat, you can learn everything from The Game Hacking Bible.
Here's a great quote from c5 regarding VAC:
The issue with incapacitating VAC are its heuristics and diversity of checks. It does a lot of cross checking, lies on different techniques on achieving the same task, etc. Besides, some things are only triggered when a specific flag is raised, so even if you might think you have bypassed or caught some of its methods in action, another path can be taken and your efforts countered.
At the end of the day though, you can lie to, emulate or disable anything that's running on your PC. People have emulated anticheats before, disabled them, altered scan results, hidden cheats from them, etc. It can simply get very tedious and not worth the time at all, especially if all you want to actually do is simply bunnyhop around the map.
c5 is 100% right. If you're just making cheats for yourself like the other 100,000 that are doing so, there is nothing to worry about, VAC is a joke. But it does have the capability to do much more than they use it for.
VAC's Capabilities
While VAC is loaded it has the capability of and has been seen:
- Scanning all your files
- Scanning all running processes
- Scanning your registry
- Enumerating all open handles
- Scanning for hooks
- Signature scanning for known cheats
Valve Anticheat does it basic run of the mill scanning on every client. But, if it finds something that looks sketchy like a hook, it will do a more thorough analysis and it will upload what it finds to the Valve servers. This information can have an affect on your Trusted rank or result in a ban in the future.
VAC Modules
VAC's modules are streamed to the client from the server, they don't exist on disk on your computer at any time but you can dump them if you know how. You can look at VAC as a series of module or as lists of features organized by purpose. The best resources for understanding VAC in depth are:
- Daniel Krupinski's Reversed VAC Source Code
- mamba's writeup of VAC from a few years ago
- Tutorial - RaptorFactor Archive - VAC Modules
- ioncodes/vacation3-emu
Vac's Modules according to Daniel Krupinski
- Module 1: Collect System Information & Configuration
- Module 2: Enumerate running processes and handles
- Module 3: VAC's Process Monitor Implementation
Advanced VAC Bypassing
If you're distributing a pay cheat you will want to reverse VAC yourself and periodically dump the modules and compare. If VAC updates, you need to know what they changed.
If you're distributing a pay cheat, in addition to our list above, you should:
- Encrypt all strings
- Randomize module, process, window & window class names
- Use polymorphic code to evade signature detection
- Stay off the disk as much as possible, stream everything into memory
- Clean all your tracks, avoid registry keys etc...
- Consider hooking and de-clawing VAC itself
How does VAC protect itself?
VAC modules are streamed from the server, it does not hit disk. IAT is encrypted, strings are encrypted
VAC Detection Mechanisms
Signature Detection
Using various heuristics VAC can find suspicious code and upload the modules to their server for manual or automatic analysis. VAC doesn't have time to analyze every single cheat, they prioritize cheats that are used by many clients, the less people using it the less likely they will build signatures for it. They build signatures for the code, just like we do when pattern scanning or AOB scanning in Cheat Engine. VAC can use any part of your hack to build unique signatures including file hash, strings, PE header, window titles, PDB path's etc...
They scan the game's process as well as any other running process for these signatures, if the signature is found they know you're cheating and can ban you in the next ban wave.
VAC uses VirtualQuery() to find executable memory and scan the game process for memory pages that are executable, if these pages were not allocated by the game process it's obvious this is injected code and maybe a cheat. That's the first step to VAC sig scanning, it's gotta find the executable memory first because code makes the best unique signatures.
Hook Detection
VAC can detect all hooks, but we know they are very ban happy when it comes to VMT & IAT hooks.
They specifically scan for hooks in these Windows API functions:
- GetMAppedFileNameA
- NtQueryVirtualMemory
- GetModuleHandleA
- GetModuleFileNameA
- OpenProcess
- ReadProcessMemory
- VirtualQuery
- VirtualQueryEx
- CreateToolHelp32Snapshot
- Module32First
- Module32Next
- Process32First
- Process32Next
- EnumnProcessModules
- GetModuleBaseNameA
- GetModuleFileNameExA
- EnumProcesses
- GetModuleHandleExA
- GetMappedFileNameA
- NtReadVirtualMemory
- NtQueryVirtualMemory
- NtMapViewOfSection
- NtOpenProcess
- NtQuerySystemInformation
File Integrity Checks
All hacks must be done at runtime, important files are checked for integrity. Patching the files on disk is a no no.
VAC Enumerates all running Processes
VAC uses EnumProcesses to find all processes and does further scanning of these processes. This is the beginning of it's external hack process detection. Hiding your external hacks and injectors from EnumProcesses is the first step. They can't build sigs for something they can't see right?
EnumWindows & EnumChildWindows & GetWindowText
If you have a suspicious external process they will find the windows associated with them and get the window title. They make a hash of your window names and compare against known cheat window names. They also grab the window style, size & location which makes for easy external overlay detection. Maybe make your overlay larger than the game window and then offset all your drawing to the right position. Making your overlay the exact size of the game window is a dead giveaway it's an overlay cheat.
File Hashing
VAC creates files hashes for all running files or files recently touched by the OS and compares it against known cheat file hashes.
You can easily change file hash by simply adding bytes at the end of the file with any hex editor, of course you can automate that. This only prevents file hash signature detection.
VAC calls NtQueryInformationProcess()
Using ProcessBasicInformation it gets the address of the PEB. Using the PEB is the lowest usermode way of querying a process, by doing this it bypasses any patching/hiding you've done to other higher level documented APIs.
NtFsControlFile() & USN Change Journals
VAC scans the disk for every file that has recently been touched by the operating system, including deleting, renaming, creation & overwriting. Good luck hiding from that
To bypass this mambda suggests hooking NtFsControlFile()
Manual Mapping
Manual Mapping defeats many module detection methods that VAC and other anticheat have such as:
- LoadLibrary hooks
- Toolhelp32Snapshot
- EnumprocessModules to find loaded modules
- Walking the PEB loaded modules list
- GetMappedFileName() on memory addresses to find DLL's on disk
- Easily detects debuggers but doesn't prevent them
- ntdll.dll is scanned, patching functions in here will lead to detection
- VAC uses EnumDeviceInterfaces() to find all drivers in device manager
- Reads the Event Log for recent events such as driver loading
- Reads the registry
VacNet: Server Side Machine Learning to find cheaters based on statistics.
How VAC Bans Work
Valve AntiCheat bans in waves usually, you could be banned hours, days weeks or months after using a detected cheat. If it's a public cheat, you can guarantee you will get VAC banned if you use it after they build signatures for it which only takes maybe a week or 2 in most cases. If you haven't been banned within 4 weeks you're probably okay.
VAC doesn't do IP or HWID bans. Every time someone gets banned, they buy a new account, making Valve tons of money so they will never do this. If you get banned, make a new steam account. But HWID and IP are used for Trust Factor, if they detect a new account from a computer with multiple bans, your trust factor will be penalized.
Junk Code / Polymorphic Code
Adding junk code to your hack will change the file hash, and avoid detection based on file hash. You can also simply do this by adding bytes to the end of the file. But VAC also hashes the code sections, so junk at the end of the file won't work, but adding junk code will actually solve this problem. Junk code is just code that does nothing in your hack, you can put any code you want in there as long as it doesn't modify the functionality of the hack logic.
BUT adding a few pieces of junk code will not bypass signature detection, only hashing.
You need to use polymorphism to bypass signature detection. Polymorphism will change the assembly at almost every byte, ruining all possible signatures. Read our guide on polymorphic code here
Or just completely bypass VAC so it can't even sig scan you.
CSGO Overwatch
Overwatch is a crowd sourced moderation system, if you get too many reports, demos of your gameplay will be reviewed by other players. If the majority of other players file their Overwatch reports with the opinion that you are violating the rules, your overwatch reputation will decrease and it will eventually result in a ban.
CSGO Match Making & Trust Factor
Griefers and cheaters will have a lower trust factor, this is based on many things including Overwatch reports. Match Making matches people with high trust factor with other similar players. Conversely it puts cheaters and other people with low trust factor in the same matches.
Trust Factor is tied to HWID/IP, if you get banned and make a new account, some of your old Trust Factor will make it to your new account.
Learn more about Overwatch, Match Making & Trust Factor: #1, #2 & #3
Additional GH VAC Resources:
mambda's Original VAC Writeup
c5's VAC Reverse Engineering IDA Scripts
Offsite VAC Resources:
VAC Source Code
Developments | Cra0kalo's Development Adventures
Valve Anti-Cheat - unkn0wnch3ats Game Hacking Wiki
zyhp/vac3_inhibitor
danielkrupinski/VAC-Bypass
Continue reading the rest of the thread for more info...
Please contribute to this guide by providing corrections & additions, hitting the "Like" button or donating
Thank you to the contributors to this guide:
@mambda @XdarionX @KF1337 @ZleMyzteX
Last edited: