As a Roblox developer, it is currently impossible to, as far as I know, detect exploits like Dex.
The reason for this is that Dex parents their UI to CoreGui. Now, I get why we are unable to edit anything in CoreGui, but allowing us to just get the descendants of CoreGui would make it easier to make better anti-exploits.
They deliberately make it more difficult to gain knowledge about the state of the CoreGui, even as recently as a month and a half ago with a very significant change:
This stance is probably to prevent malicious developers from being able to capture sensitive information, such as any credentials the Player is entering or viewing, or what the Report menu is doing.
As far as I know, a lot of exploits also supply external GUI APIs that do not use the CoreGui or instances parented to game at all, and regardless it would be very easy for them to hook :GetChildren/:GetDescendants of CoreGui to prevent exploit GUIs from being visible to game scripts.
Literally, the CoreGUI access method doesn’t solve a lot, exploits aren’t as primitive as they were back then. People can just hook functions and return whatever they want.
As I said, Dex parents their UI to the CoreGui.
Yes but you fail to realize this, exploits can hook functions that you are using.
You can be calling :GetChildren() but they simply hooked the lua function to always return {}
Same with events such as .ChildAdded or .DescendantAdded they can simply hook these events to not fire when the instance that it fired on is game.CoreGui
Two things are immediately problematic even with reading only:
Privacy. Developers would be able to do things such as get the user’s Robux balance and see various pieces of PII by reading them out of CoreGui elements.
Hyrum’s Law. If Developers were able to access the CoreGui they would be able to start depending on the contents being there in a particular form, such that their code breaks when we try to update the layout / contents of the CoreGui.
Those alongside other issues mean this will never happen.
Fair, I also thought of making a whitelist/blacklist system for which UIs we could access, but yeah, that would probably take too much time for what it would be worth.
Is there a chance that, in the future, we will somehow be able to detect certain UIs inserted by exploits, though?
Yes, for example, I could see some kind of system where your experience could statically declare what kind of stuff it expects to be creating on the client being a more fruitful direction to explore.
Sounds exciting. And thanks for the quick answer!