Source Faceit Anticheat Bypass: kernel driver exploit allows cheaters hack anti-cheat in CS2

[exi]

Faceit Anticheat has long been considered one of the most strict in detection and difficult to bypass. But on March 24 an interesting vulnerability was discovered in the process of updating its driver, which allows you to load your software before the anticheat starts working. In this topic I will tell you how this method works and how to implement it in practice for free.

What is Faceit Anticheat and why is it difficult to bypass​

The difficulty of bypassing Faceit on Windows 11 and 10 consists of several levels of protection:

• Blocking vulnerable drivers;
• Monitoring system calls;
• Checking the integrity of the game memory;
• Tracking suspicious processes and information on the PC.

Attempts to bypass Faceit CS 2 usually end with an account ban, as the anti cheat is quite effective in detecting most public methods of code injection. After this, you will need to use a spoofer, which, by the way, are sold on our cheat site. On Infocheats.net, you can find topics with buying (selling) not only ban evade methods but also undetected firmware for DMA cards.

How drivers work in Windows​

Drivers are programs that run in kernel mode and have privileged access to hardware resources. Usually, they are loaded at system startup or when you connect new hardware to your gaming PC.

Vulnerability in driver loading​

Every system has its flaws. Despite the power of the anticheat, it simply cannot control a bunch of processes in the computer simultaneously. And this is the feature we will use.
Face It league Anti Cheat checks programs that are loaded into the PC. But what if we manage to load our project before the anticheat starts checking? Technically, this is called «race condition» — a competitive «racing» when the result depends on who performs a certain action first.

The description of vulnerability in the anti-cheat update process​

While studying the Faceit driver update process, the author noticed: when the anticheat loads the updated «faceit-ac.sys» driver, it does not ask the player to restart Windows.
How is this possible? Usually, a kernel driver update requires a reboot. And this is precisely where the vulnerability lies. The Face It developers decided to save the user from the inconvenience of rebooting, but created a logical breach in the protection system.

How it works to bypass Faceit Anti cheat​

Faceit AC also needs to be loaded as a driver. And that means there is a moment when it is not yet fully initialized. If we load our driver at the right moment, the anticheat may simply not notice it.
The essence of the vulnerability is as follows: when the face it service stops the faceit-ac.sys driver for its update, a temporary moment appears in which you can load your driver. The anticheat at this moment is busy updating and does not notice the substitution.

It looks something like this:

• faceit-service stops faceit-ac.sys;
• At this moment, HookedControlService is intercepted;
• We load our vulnerable driver;
• We call the original OriginalControlService;
• The service runs our cheater software;
• It doesn't notice the substitution because it's busy updating.

Instructions for bypassing Faceit Anti-Cheat​

For those who want to use this method, I'll provide detailed info. Maybe later, I'll upload a video to YouTube to help people understand the benefits of this method more clearly.

What to have for the CS2 hack to work?​

To implement the Face It AC bypass, you will need:

• Visual Studio (the basic Community will do);
• Windows Driver Kit (WDK);
• C/C++ programming skills at a sufficient level;
• Basic knowledge of Windows operations (mostly kernel level);
• A test computer (it's better not to experiment on your main account);

Stages of implementing the Faceit bypass into game​

Technical side of the cheat injection method on Faceit​

The main technique used in this method is intercepting Windows service control. This uses «DLL hijacking» — a method that allows forcing an application to load our DLL instead of the one it expects to load.
When faceit-service calls a function to stop the driver, our intercepted function loads our software and only then passes control to the original function. Thus, we get the possibility of substitution between stopping the original driver and starting the updated one.

Difference from other methods of bypassing Faceit AC​

Most other methods try to bypass Faceit Anti-cheats in CS2 after it has already started, which is much more difficult. This method uses a vulnerability in the update process, which gives us an advantage — we load our driver before the anticheat's protection mechanisms are fully initialized.
Considering that Faceit actively develops its protection technologies, it is quite likely that this vulnerability will be closed in the near future, maybe it will work for a month.

Conclusion: is it worth using Faceit Cheat?​

The discovered vulnerability demonstrates how even the most secure ACs can have logical gaps. In practice, anticheat developers constantly improve their products, and any vulnerabilities are eventually closed. If you have any difficulties, you can write in the comments to the original material, I attached it above, the author will give you an answer.