Hello Roblox developers! Due to a lot of posts relating to backdoors I’ve created a tool to scan for these backdoors. It offers a few “detections” which may be useful when looking for backdoors or malicious scripts. Here is a list of configurable detections:
local detectRequiresNonNumeric = false -- Should non-numeric required be detected?
local detectIsStudio = true -- Should IsStudio calls be detected?
local detectLoadstring = false -- Should loadstring references be detected?
local detectStoreRequire = true -- Should storing require in a variable be detected?
Other detections include numeric requires, fenv usage (especially useful for finding obfuscated code!), and HttpService usage.
This script by default does not scan ModuleScripts (it also does not scan CoreScripts but these are not usable by developers and also cannot be scanned), but there is an option to scan these.
You can find this script here: GitHub - Hexcede/GameTree: A Roblox instance & script scanning tool
To use it, simply configure it in a text editor and paste it into the command bar.
Any detected scripts will be displayed as a path starting with the script’s name. Each segment in the path contains the Instance name and the ClassName. Warnings are displayed below scripts preceded by a tab and [!].
I hope that developers will find this useful.