FACEIT Anti-Cheat: Real-Time Kernel Detection

• FACEIT Anti-Cheat is a next-generation kernel-mode solution designed for real-time detection of in-memory threats like fileless execution and process injection.
• It employs rolling-hash fingerprinting and TOCTOU-resilient event scanning to accurately identify unauthorized code modifications with minimal latency.
• The architecture leverages a hybrid event-driven system combining user-mode control and kernel components to ensure robust anti-cheat enforcement with low resource overhead.

FACEIT Anti-Cheat (FAC-INT) is a next-generation, kernel-mode anti-cheat solution designed for real-time detection and analysis of in-memory threats, specifically targeting fileless execution, manual mapping, module stomping, and advanced process injection techniques. FAC-INT inherits and extends architectural principles from RX-INT, a kernel-assisted detection engine, with deep integration of stateful monitoring, rolling-hash fingerprinting, and TOCTOU-resilient workflows for robust anti-cheat enforcement in gaming environments (Juneja, 5 Aug 2025).

1. System Architecture

The FAC-INT system architecture is centered on an event-driven, hybrid kernel engine, operating as a Windows kernel driver with real-time hooks for process and thread events. The main components are:

• User Mode Control Interface: Exposes control (via IOCTL) to CLI, TUI, or game GUI clients, enabling administration and user-initiated actions.
• Kernel Components:
  • Detector Manager: Supervises monitoring, context, and rule configuration.
  • Thread Monitor: Registers thread creation events using PsSetCreateThreadNotifyRoutine and inspects thread start addresses at APC_LEVEL.
  • Stateful VAD Scanner: Maintains and compares virtual address descriptor (VAD) baselines via ZwQueryVirtualMemory, tracking both image and private regions.
  • Hashing Module: Computes and manages rolling/streaming hashes for memory regions, enabling fine-grained detection of illicit changes.
  • Event-Driven Dump and Access Control Enforcement: Responds to suspicious memory or thread events with region dumps and access lockdown.

High-level hooks include:

• Process Attach: PsSetCreateProcessNotifyRoutineEx triggers per-process state creation upon deployment, baseline VAD scan, and scanner worker initialization.
• Thread Creation: OnThreadNotify callback inspects new thread start addresses, triggering VAD rescan if the address is atypical or matches private executable memory (Juneja, 5 Aug 2025).

2. Real-Time VAD Scanning and Thread Monitoring

FAC-INT deploys real-time VAD scanning and thread monitoring for in-memory threat identification. The core data structures are:

struct VAD_Entry { UINT_PTR BaseAddress; SIZE_T RegionSize; PAGE_PROT Protection; UINT64 Hash; // Only for MEM_IMAGE+EXEC } struct ProcContext { PEPROCESS Process; List<VAD_Entry> Baseline; KSPIN_LOCK Lock; KEVENT ScanEvent; HANDLE ScannerThread; }

Initialization (StartMonitoring) attaches to the target process, builds a VAD region baseline via ZwQueryVirtualMemory, and initiates a kernel worker thread. During normal operation:

• Thread Notify Path:
  • When a thread is created, its start address is checked:
  • If in a private, executable region, the region is dumped and flagged.
  • If in an image region, a VAD rescan is triggered for hash-based integrity check.
• Scanner Main Loop:
  • Waits on ScanEvent or poll timeout
  • Procures a new VAD snapshot and compares with the baseline using hash and region differentials
  • Calls ReportAndDump when new suspicious executable private regions or image hash mismatches are found

This method enables prompt identification of code injections and module manipulation events, with latency on the order of a few milliseconds (Juneja, 5 Aug 2025).

3. Hash-Based Memory Fingerprinting

FAC-INT leverages rolling/streaming hash techniques to fingerprint memory regions with high collision resistance and incremental efficiency.

• Definition: A memory region $M$ is split into blocks $M_1,\ldots,M_k$ (e.g., per 4 KB page). The fingerprint is:

$H_0 = H_{init}$

$$H_i = (a \cdot H_{i-1} + \sum_{j=1}^{|M_i|} M_{i,j}) \bmod p$$

with base $a$ a random odd integer in $[2^{32}, p-1]$ ($p$ is a 61-bit Mersenne prime, $2^{61}-1$), ensuring minimal collision probability.

• Parameterization:
  • Collision probability for $k$ blocks: $\approx k/p$. For $p\approx 2^{61}$, $k=10^6$ yields $\sim 4\cdot10^{-13}$ probability.
  • XXH64 may be used for speed, as an implementation choice.
• Detection Thresholds:
  • For measures $D=$ number of differing blocks:
  • False positive rate: $\alpha = \Pr[D\leq T\mid\text{no change}]$
  • False negative rate: $\beta = \Pr[D> T\mid\text{true change}]$
  • Threshold $T$ is set via $T \approx \mu_0 + z_{1-\alpha}\cdot\sigma_0$ with $\mu_0, \sigma_0$ being noise scan statistics.
• Incremental Updates:
  • When only a single block changes, $H'$ may be updated as $H' = (H + \Delta) \bmod p$ with $$\Delta = (new\_sum_i - old\_sum_i)\cdot a^{k-i}\bmod p$$.

This hashing methodology enables fast, low-overhead integrity checks and allows robust detection with adjustable sensitivity (Juneja, 5 Aug 2025).

4. TOCTOU-Resilient Event-Driven Scanning

A key innovation is TOCTOU (time-of-check-to-time-of-use) attack resilience. FAC-INT implements an event-driven, state-machine-controlled workflow:

• State Machine Skeleton:
  • Idle: No process monitored.
  • Waiting: Polling VAD, wakes immediately on scan hint.
  • Hint: Upon thread event likely indicating an injection, enters scan with minimal latency.
  • Scanning: Immediate VAD baseline differential and dump.

The detection window $\Delta t$ is dominated by thread-scheduling and VAD scan time (on the order of milliseconds), substantially outperforming tools relying on periodic polling (e.g., PE-sieve, with a 0.5–1 s gap) (Juneja, 5 Aug 2025). This architecture closes the window during which an adversary can restore or clean up injected code prior to detection—a critical requirement in contemporary anti-cheat.

5. Heuristic Detection and Anomaly Scoring

Detection logic is formalized as weighted heuristic predicates $H_k(e)$ applied to memory regions:

• $H_1:$ Private region with executable permissions
• $H_2:$ Image region with hash mismatch to baseline
• $H_3:$ Change in protection toggling PAGE_EXECUTE
• $H_4:$ New region overlapping known module’s .text section
• $H_5:$ PE header region zeroed with executable permission

Scores are assigned by $S(e) = \sum_k w_k\cdot 1_{H_k(e)=true}$, triggering full dump and investigation for $S(e)\geq S_{thresh}$, where $w_k$ are adjusted via ROC analysis for optimal tradeoff between sensitivity and false alarm rate (Juneja, 5 Aug 2025).

6. Performance Metrics and Benchmark Comparisons

Resource efficiency is a critical facet:

• CPU overhead:

$O_{CPU} \approx C_1 N + C_2 (S/B)$ scans/sec, where $C_1, C_2$ are kernel callback and page-hash costs.

• Memory overhead:

$$O_{mem} \approx N\cdot (1\text{ KB} + (S/\text{region\_size})\cdot 32\text{ B})$$.

• Detection latency:

$$L_{det} \approx t_{hook} + t_{scan} + t_{hash} \approx 1 \text{ ms} + (S/B) \cdot (\text{hash\_per\_page}) + \text{merge overhead}$$.

Sample benchmark on Windows 11 / 8 GB RAM for a 200 MB process showed:

• Idle CPU: 0.05%
• Active scan CPU: 0.5%
• Detection latency: 3–5 ms post-thread creation
• Memory overhead: ~6 MB per large process (includes export snapshot)

In contrast, PE-sieve lacks real-time thread hooks, resulting in a wider TOCTOU window (0.5–1 s) and higher peak CPU (>2%) (Juneja, 5 Aug 2025).

7. Implementation Considerations and Domain-Specific Adaptation

FAC-INT is implemented as a KMDF (Kernel-Mode Driver Framework) driver, leveraging C++ RAII for resource safety, with explicit support for export-based region resolution and robust synchronization via spinlocks and kernel events. The architecture supports bounded resource utilization suitable for gaming environments, and is extensible via IOCTL-driven control pathways. The application of RX-INT methodology to anti-cheat explicitly addresses fileless threats and memory attacks increasingly prevalent in competitive gaming, providing a tangible advantage over user-mode and poll-based detection regimes (Juneja, 5 Aug 2025).