Been trying to make more anti-exploit systems for my games. Recently, I’ve been looking for those that detect when an exploiter inserts a GUI into PlayerGui or CoreGui.
Right now I’m working on CoreGUI since that would interfere less with my game than a script that detects additions to PlayerGui, and this is the following code:
game.CoreGui.ChildAdded:Connect(function(a)
print(a.Name.." was added to CoreGUI.")
end)
It is server-sided but I also have one in a local script in PlayerGui. However, when either runs, I get this message in Output:
I believe you can use the DescendantAdded event on the game object.
Through that, you should be able to check if it is a child of CoreGui by checking what GetFullName returns.
Additionally, this only works when used in a LocalScript. The server cannot see an individual player’s CoreGui.
You may also run into issues with proper stuff loading in, and creating a list of each acceptable item will be difficult. Also, there may be permissions issues when blindly using GetFullName like I am here, you’ll need to add checks to make sure your code doesn’t error.
As for what the error you received means, here’s a good write up about it: Security context
Example code:
game.DescendantAdded:Connect(function(descendant)
local fullName = descendant:GetFullName()
local paths = string.split(fullName, ".")
if #paths >= 1 and paths[1] == "CoreGui" then
print(descendant:GetFullName() .. " was added to CoreGui")
end
end)
game.DescendantAdded:Connect(function(descendant)
local success, fullName = pcall(function() return descendant:GetFullName() end)
if not success then
return print("A locked object was added")
end
local paths = string.split(fullName, ".")
if #paths >= 1 and paths[1] == "CoreGui" then
print(descendant:GetFullName() .. " was added to CoreGui")
end
end)
Would this code detect when non-ROBLOX items to the game are added? Like if an exploiter tried to load up admin commands into CoreGui, would it detect that, but leave alone the default ROBLOX scripts?
I assume that everything Roblox puts in CoreGui is locked, so it should not pass the success check. It may be safe to kick the player if anything gets beyond that, but be wary of false positives.
I’ll also add that any exploit that can access CoreGui, it may be able to lock it from normal script access.
You can’t detect when thing get added to CoreGui for security reasons. Also, in order to access the player’s CoreGui, you need a local script since exploits work client sided, however, exploiters can simply delete your script.
so there’s really nothing that can be done to stop them then? the only thing I was working with was detecting things that got inserted into PlayerGui but even then there was a ton of locked ROBLOX stuff that it would pick up.
You can only stop exploiters from abusing your game systems with sanity checks but you can’t stop them from using and activating their exploits, at least not forever. Also, exploiters don’t always insert their exploits into the game itself: some of them are parented to nil which can’t be accessed
