What Is a Signature Scanner in Anti-Cheat?

Signature scanning is the foundational layer of consumer anti-cheat. Every shipped AC does it. It''s structurally simple — compare bytes against a known list — but its effectiveness depends on how much of the system the scanner can see, how fresh the signatures are, and how the protected memory is laid out. The signature scanner is the AC layer most directly comparable to traditional antivirus.

What gets scanned

A modern AC signature scanner targets:

• Process memory of the protected game process — every committed page that''s readable
• Loaded module hashes — DLLs, drivers, and executables loaded into the process or into the kernel
• Kernel memory pools — the NonPagedPool / PagedPool regions where kernel-mode drivers live, including allocated-but-not-officially-loaded regions where manually-mapped drivers sometimes hide
• PE header validation — checking module headers for signs of unpacking, packing, or modification
• String tables — text strings inside loaded modules that match known cheat program names or developer signatures

How signatures are constructed

A pattern is typically a byte sequence with masking — e.g., 48 8B 05 ?? ?? ?? ?? 48 89 41 28 48 8B 41 30 48 89 41 38 where ?? is a wildcard for instruction-specific values like RIP-relative offsets. This format catches the function shape regardless of where in memory it''s loaded. Patterns can also be regex-matched against module exports, hash-matched against module file content, or fuzzy-matched against approximate code shapes.

The signature database itself is streamed from the AC vendor''s servers at game launch and updated periodically during play. This is what lets BattlEye, EAC, and Vanguard add new signatures without shipping a client patch — push to the database server, every connected client picks up the new signature on next launch.

How scans run

A scan iterates committed memory regions, reads each region into a working buffer, and runs pattern-match against the buffer. The naive scan is O(N×M) where N is memory size and M is pattern count, which gets expensive — modern scanners use Aho-Corasick automata or similar multi-pattern algorithms to scan once and match many patterns simultaneously. The 2026 EAC kernel rebuild''s 3-4× speedup came largely from optimized scan-loop architecture and expanded kernel memory pool coverage.

What signature scanning catches

• Public/copy-pasted cheats whose binary patterns are widely shared and quickly fingerprinted
• Common open-source cheat libraries (ImGui-based overlays, kiero hook patterns, popular trainer frameworks)
• Manually-mapped drivers that leave detectable byte sequences in kernel pools
• Old cheat builds that the developer didn''t obfuscate before re-release
• Cheats whose authors didn''t bother to rotate their internal function signatures

What signature scanning misses

• Custom-built cheats with no shared lineage
• Cheats that don''t reside in scanner-visible memory (external DMA setups before AER/IOMMU shutdown)
• Cheats whose patterns are sufficiently unique that no public signature exists
• Modified or polymorphic cheats that mutate their byte patterns on each build

This is why signature scanning is the first layer in the modern AC stack, not the only layer. Behavioral ML and server-side validation cover what signature scanning misses.

Cheat-developer countermeasures

The cheat industry response is well-documented: code obfuscation, manual mapping into non-standard memory regions, encryption of pattern-bearing code paths with on-the-fly decryption, dynamic re-pattern of detected sequences after AC signature updates, and outright commercial obfuscators (VMProtect, Themida, Enigma Protector). NeacSafe protects its own user-mode component with VMProtect — the same technique cheat developers use against signature scanning is now used against signature scanning analysts.

The fundamental signature-scanning weakness

A signature scanner can only catch patterns it has seen before. Day-zero on a private custom cheat, before the vendor has obtained a sample and built a signature, the scanner is blind. This is why private cheats (custom-built, distributed to small groups) have longer un-detected lifecycles than public cheats. It''s also why detection windows for new cheats tend to be: client-side signature in days, behavioral ML signal in weeks, server-side replay correlation in months — the layers complement each other across timescales.

Practical impact for RawCheats users

RawCheats operates at the "private cheat with rotating signatures" tier. Our products are not in public signature databases at game-launch time, our build pipeline rotates internal byte patterns, and our update cadence tracks AC signature update cadence. The relevant user-side practice is keeping the cheat updated and not running stale builds — see How do I update RawCheats.

Forward look

Signature scanning will remain a foundational layer indefinitely. What changes: scan speed (faster), coverage breadth (more memory regions, deeper into kernel), and integration with ML for pattern auto-generation from telemetry. The cheat-industry counter-direction is more aggressive obfuscation, smaller distribution tiers, and faster build rotation. The arms race here is decades old and shows no sign of resolution.