Lua executor detection: how Raven Anticheat catches Fivem Lua injectors
Lua executors inject arbitrary scripts into the running Fivem client. Raven detects them through signature matching, runtime integrity checks, and server-side validation of impossible Lua-driven actions.
Why Lua executors are a special problem
Most Fivem cheats live in C/C++ DLLs and can be detected by traditional injected-module signature scans. Lua executors are different: they execute arbitrary Lua inside the legal Fivem scripting runtime, which means they look identical to legitimate game scripts to most static checks. A pure signature scan against the executor binary helps, but the binary is small, frequently rewritten, and trivial to repackage. Detection has to happen at the runtime layer too.
Signature detection on the loader
The first line of defense is signature detection on the loader process and any DLLs the loader maps into Fivem. Raven's signature pack tracks the most active loader families and is refreshed on a 1-7 day cadence. This catches the lazy executors immediately and forces the rest to repackage between every release - which itself buys time.
Runtime integrity checks
Beyond loader signatures, Raven validates the integrity of the Lua runtime itself: it monitors which native handlers have been patched, which event registrations exist, and whether the global Lua state has been augmented with foreign tables. Executors typically need to insert at least one of these to deliver their payload, so this layer raises a flag even when the loader binary itself is unknown.
Server-side validation as the safety net
Even if both the loader signature and the runtime check are bypassed, the executor still has to do something with its access - and that something usually involves triggering server events that legitimate scripts would not trigger. The server-side event validation layer (see /how-it-works/event-validation) blocks events from disallowed sources and rejects payloads outside plausible bounds. Lua-driven money grants, item duplications, vehicle spawn floods, and player teleports all hit the same validation gate.
Why Lua executor detection is never "done"
Executor authors rewrite their loaders constantly because every signature shipped against them costs them their entire customer base for that release. The honest framing is that detection is continuous: a working executor today is a detected executor in 1-7 days, and its users are then in the Global Ban Database. The 2026-04-21 advisory entry on the changelog covers a recent example - a Redengine event-trigger pattern that we patched server-side with a rule that runs even if every client check is bypassed.