About 
BeeScan is powerful game instance scanner for backdoors detection. It is a one click solution that most developers can use to get a quick health check on their games. It’s designed to detect hidden scripts, obfuscation attempts, and illegal access to global functions by reading the script content.
Features:
Known Solutions
There are already solutions out there, such as SteadyOn’s Instance Scanner, Server Defender, or Kronos. But they either are out of date or lack certain features given below.
Multiple Layers of Scanners
BeeScan has multiple scanners that run along a pipeline. All it takes it for 1 scanner to flag a problem. Because there are multiple scanners in a pipeline, it’s easy for you to add your own processing systems.
Example
-------------------------- BEGAN SCAN [1.0.0] --------------------------
[MaterialService.bad] caught by [OutlierCheck]:
--> Script RunContext is set to Enum.RunContext.Server instead of Legacy so script is allowed to run anywhere, please review
--> bad is a ServerScript but is residing in a blacklisted parent MaterialService
[Workspace.Malware.obfuscate] caught by [FlexRules]:
Obfuscation attempt found, method is reassigning a lua GLOBAL (loadstring)
--> local x = loadstring
Script uses loadstring, please verify it's authorized and mark as good
--> local x = loadstring
scanned 2 instances
-------------------------- SCAN COMPLETE --------------------------
Smart String Pattern Source Code Matching
One of the unique scanners that run with BeeScan is FlexRules, a rule based script pattern detector. Manual rules are generated and entered into the rule library, which will try to match the pattern with real world scripts. The system is smart enough to ignore comments and whitelisted samples.
Example
local x = require -- flagged
local x = require(123456789) -- flagged
local x = require(workspace.MyModuleScript) -- allowed
--local x = require(123456789) -- allowed
Some common patterns include require, loadstring, getfenv, setfenv, _G, and HttpService.
Instance Outlier Scanning
The system will also alert you of suspicious scripts. These include those that hide inside hidden services, have really large sizes, or use RunContext. “game:GetDescendants()” is used for scanning to ensure that new services are also scanned.
Example
[VRService.testPrint] caught by [OutlierCheck]:
--> Script RunContext is set to Enum.RunContext.Server instead of Legacy so script is allowed to run anywhere, please review
--> "testPrint" is a ServerScript but is residing in a blacklisted parent VRService
Code Verification and Signatures
Verify scripts by “signing” them. Signing will attach a timestamp, your user ID, and a hash the scanner will use to compare with. Changing any part of the script (hash, timestamp, user ID, script name, script content) will invalidate the signature and flag it again.
Example
Open Source with Modifications Allowed
This project is open sourced. You are free to make your own modules and add it to the pipeline. If you feel generous, please contribute any changes you make! Over time, if there are new methods to backdoor, I will try and update the plugin.
How to Use
Installation
Quick Use
- Download plugin through Roblox plugins.
- Open a roblox studio place you want to check.
- Click “Scan”
Development/In-house/Close Loop copy
- Download plugin through GitHub.
- Open a roblox studio place you want to check.
- Load the .rbxm file.
- To override the hash salt/private key, update BeeScan.Salt.Value, otherwise, leave it blank as “”.
- Right click the BeeScan folder, then click “Save as Local Plugin…”
- Click “Scan”
Plugin Buttons
Scan
Scans the selection and prints out the report in output logs.
- deselect everything in workspace and click “Scan” to scan the entire game
- select an Instance and click “Scan” to scan the instance and its descendants
- select multiple Instances and click “Scan” to scan the instances and their descendants
Hash
Used on scripts only. “Signs” the script using your Roblox UserID and the datetime, then generate a hash. As long as the hash is valid, the scanner will ignore it.
- find a script that’s marked by the scanner as suspicious
- click on that script, then click “Hash”
- you’ve now signed the script and said it’s “Safe”, your user ID and date/time signed is available for other developers to look at.
New Salt
Only available if plugin salt isn’t modified. This will generate a new “private key” for you that you sign with. The scanner, now using this new key, will invalidate all your previously signed scripts. Only click this if you believe your plugin private key has been found, OR you want to sync your private key with a friend.
No selection vs. Selection of an instance before clicking “New Salt”
Technical Detail (Scanners)
HashCheck
The hash check scanner simply verifies if the hash signature is valid.
Hash generation and user signature is a blend of attributes:
- Script name
- Script source/content
- User ID who verified this
- Date/time
- Your plugin’s private key (auto generated)
-------------------------- BEGAN SCAN [1.0.0] --------------------------
[TextChatService.Commands.BasicCommands.Controller] caught by [HashCheck]:
Controller's hash doesn't match.
scanned 1 instances
-------------------------- SCAN COMPLETE --------------------------
Keyword Scanner: Some areas are in need of review. [1 notice]
If any of these are changed, the signature will be invalid and the scanner will pick it up again.
FlexRules
Short for “Flexible Rules”, this scanner tries to match for certain code patterns rather than direct entries. The scanner is smart enough to ignore comments. Some checks include keyword checks, variable assignment checking, and common obfuscation string checks. The majority of detections will be done using FlexRules.
-------------------------- BEGAN SCAN [1.0.0] --------------------------
[Workspace.Malware.NexusAdminBackdoor] caught by [FlexRules]:
Obfuscation attempt found, method is reassigning a lua GLOBAL (require)
--> local _cframe, _ = require, CFrame.new(0, 0, 0)
scanned 1 instances
-------------------------- SCAN COMPLETE --------------------------
Keyword Scanner: Some areas are in need of review. [1 notice]
OutlierCheck
This scanner looks at the script properties and checks for any anomalies, such as suspicious Parents, RunContext, and script size. This system will prevent most backdoors from hiding inside hidden services.
-------------------------- BEGAN SCAN [1.0.0] --------------------------
[MaterialService.ContextBypass] caught by [OutlierCheck]:
--> Script RunContext is set to Enum.RunContext.Server instead of Legacy so script is allowed to run anywhere, please review
--> "ContextBypass" is a ServerScript but is residing in a blacklisted parent MaterialService
scanned 1 instances
-------------------------- SCAN COMPLETE --------------------------
Keyword Scanner: Some areas are in need of review. [1 notice]
To remove scripts from hidden services, you can run a command line, or enable the service to be visible in studio and delete the script.
NameCheck
This scanner simply matches names to a list of virus names. It also detects for deviations in naming format (for example, using unknown characters)
-------------------------- BEGAN SCAN [1.0.0] --------------------------
[Workspace.Malware.h�mer�] caught by [NameCheck]:
h�mer� is using invalid characters!
scanned 4 instances
-------------------------- SCAN COMPLETE --------------------------
Keyword Scanner: Some areas are in need of review. [1 notice]
Extras
Threat Model
This plugin is intended for Roblox Studio. This plugin is made to stop bad actors (developers & plugins) from injecting hidden code into your game. It’s designed to detect and flag hidden scripts, obfuscation attempts, and illegal access to global functions by reading the script content.
This plugin does NOT detect common “troll”-like or self-replicating scripts, such as Anti-Lag and fire spreader due to their signatures overlapping with actual valid scripts.
This plugin cannot detect 3rd party material. Example: a backdoor is injected into the roblox studio game which talks to an outside server via HttpService. This plugin will only detect the backdoor itself (because of the HttpService call) and not the outside server.
Limitations
-
This plugin, like most security systems, will eventually become out of date unless it’s periodically updated.
-
To make this system passive, this plugin does NOT modify/remove scripts. It is the users job to resolve the flags (usually by deleting the script). This is because I don’t want to disrupt development because of false positives. This plugin simply finds script violations for you. It is your job to remove it.
-
Do not assume flagged scripts are BAD. Treat flagged scripts as “suspicious” unless you can confirm it’s safe. The system tends to be trigger happy.
FAQ
My friend hashed a script and verified it was good, but my BeeScan is showing a hash mismatch on that script?
This is normal, the plugin is intentionally designed to not trust anyone. If you trust your friend, both of you will come up with a private key. Create an Instance, like a BasePart, and name it that private key, select it, then click “New Salt”. Your output log should show that the salt/private key has been set to a new value.
Can I use this plugin to scan other plugins?
This plugin can only be used to scan in-studio Instances (things that sit under Explorer). You cannot scan your active plugins directly. You will need to obtain the source file/source code of the plugin, then insert it into workspace/game and use BeeScan on it.
Can I use this plugin to scan 3rd party systems? For example: how do I know require(123456789) returns a safe plugin?
You would have to find the source code of that plugin, put it in workspace/game and use BeeScan on it.
Credits
- This plugin uses HashLib by Egor Skriptunoff, boatbomber, and howmanysmall (HashLib - Cryptographic hashes in pure Lua)
- Some additional devforum posts were used to test the plugin (How does backdoors work (Nexus Admin Exploit works in detail), How to check for backdoors, How to remove Rosync virus?)
- Special thanks to @Meta_data for testing
- Image art by @swopped
