CS2-Extern Architecture — Saku Grossarth

Architecture Overview

CS2-Extern runs as a separate process and reads game memory externally through either user-mode APIs or through a minimal kernel driver. The architecture is modular with clear separation between rendering, game analysis, and memory access layers.

Overlay System — DirectX-based transparent window tracking CS2
Memory Backend — Dual-mode: user-mode or kernel driver via shared memory
Entity System — Collects and caches game entity data
Feature Modules — Combat (aimbot/triggerbot), ESP, and utilities
Pattern Scanner — Runtime offset resolution for game updates

Memory Backends

The cheat supports two memory access methods that can be swapped at runtime:

Usermode (Default) — Uses OpenProcess + ReadProcessMemory. No driver required but more detectable.
Kernel Driver — Uses CS2ExternDrv via shared memory section. Stealthier but requires driver loading.

The shared memory approach avoids creating a device object or symbolic link, making the driver's presence harder to enumerate from user-mode.

Overlay Rendering

The overlay is a transparent, click-through window positioned over CS2 using SetWindowPos to track the game window. Rendering uses DirectX 11 with:

2D box ESP with corner/full box options
Skeleton rendering using bone positions from game memory
Health/ammo bars and text information
Grenade trajectory prediction with physics simulation

Pattern Scanning for Offsets

CS2 updates frequently break hardcoded offsets. The solution is runtime pattern scanning that finds signatures in the game binary and calculates offsets dynamically.

// Pattern format: bytes + wildcards (??)
// Example: "48 8B 05 ?? ?? ?? ?? 48 85 C0"
pattern scanner:
  1. Read game module into buffer
  2. Scan for byte pattern with wildcards
  3. Resolve relative addresses (RIP-relative on x64)
  4. Return calculated pointer

What the patterns find

Entity list base address
Local player pointer
View matrix for world-to-screen
Game state (bomb timer, round state)
Bone matrices for skeleton ESP

Combat Features

Aimbot

The aimbot calculates target angles based on enemy bone positions and smooths the mouse movement to appear human-like:

FOV checking — Only targets within configurable field of view
Smoothing — Interpolates between current and target angles
Prediction — Accounts for target velocity and projectile travel time
Autowall — Checks if bullets can penetrate surfaces to target
Weapon configs — Separate settings per weapon class

Triggerbot

Monitors crosshair position and fires when an enemy intersects. Includes hitchance calculation and delay randomization to avoid detection patterns.

Stealth Considerations

External cheats have different detection vectors than internal ones:

Window tracking — Overlay position must follow game window
Input detection — Mouse movements must look human (smooth curves, not linear)
Timing — Read intervals randomized to avoid periodic patterns
String obfuscation — Compile-time string encryption with xorstr

What I Learned

Building CS2-Extern taught me about Windows graphics APIs, process memory layout, and the arms race between cheat developers and anti-cheat. The most valuable insight was understanding how kernel drivers can provide stealthier memory access while remaining minimal in functionality.

Architecture Decisions

External vs Internal: External is safer to develop (no DLL injection) but limited in capabilities. The kernel driver bridge attempts to get the best of both: external's safety with internal's memory access stealth.

DirectX vs GDI: DirectX 11 provides better performance and alpha blending for the overlay. GDI is simpler but slower and more obvious.