H3x - Script Sandbox (Deprecating soon)

Because these will be sandboxed plugins. It logs what the plugin does (what scripts it places, etc).
I wouldn’t be surprised if someone makes a masterplugin where you can load plugins in a sandbox with set permissions.

1 Like

The main use will be detecting backdoors. For example, let’s say the plugin imports a script. That script could do anything (like require a module) so showing some sort of log of what the script does would be great information. And because its a sandbox you can make the script think its in a live server (e.g. wrap RunService:IsStudio) so it will run any malicious code it might run in a live server.


Sandbox:Load() does not follow the API you have written. It doesn’t have Hook as a third return.

Hook is returned as a second argument by Sandbox:MakeEnvironment(), but it is not passed up to the :Load() function.

function Sandbox:Load(code, env, mergeMode)
	local ctx = Context:Create()
	local loadedFunc = ctx:Load(code)
	ctx:SetEnvironment(env or Sandbox:MakeEnvironment(ctx), mergeMode)
	return loadedFunc, ctx
function Sandbox:MakeEnvironment(ctx)
	--- A whole long function
	return realEnv, hook

I might have messed up the docs. It is returned by MakeEnvironment.

1 Like

The next time I get a chance I’ll be fixing up some of that stuff.


I would like to be added to the H3x mention list .

I would like to be added to the H3x mention list.
This looks amazing.
I’m so excited to see more. (:

If you have an account for a remote git hosting service, such as GitHub, would you mind adding it to source control? I think that would make it easier for us to see changes, for you to push changes and for people to contribute.

Yep I was planning on doing so. The current update also has a lot of bugs related to the Runner API which I haven’t gotten a chance to fix. This is my github: https://github.com/hexcede

1 Like

Pretty nice work, I am an amateur at scripting (and I think this will be beneficial), and I think that this’ll be a great opportunity to implement this into a game I’m making. I would like to be added to the H3x mention list .

That’s cool! It definitely has some obscure tricks that you might find useful. (Also for new users reading this thread DM me your mention list requests. I changed it to avoid clutter)

I also think I might have some time tonight to fix some stuff and work out the Runner issues.

1 Like

It’s looking fantastic! I’ve taken a look through the code and it’s well-written! There’s one thing I’m looking for:
I would like to know the result of the code, so what happened (and not what’s printed). For example:
The code Instance.new("Part") ran in a sandbox. How would I know what had been created?

You would probably either use the hooking APIs for this or write/modify a custom environment. By default the script cannot access instances so you’d need to remove this in the hooking API.

If you allow access to more instances you would also most likely need to make sure the player’s service access is limited. E.g. MessagingService, LogService, TeleportService, etc.

Additionally you can also have scripts return values you want to use (be careful since they can contain malicious metatables and functions). Also, arguments you pass to the script can be used in a script via the vararg token (…).

1 Like

I apologize for the lack of activity haha. I should for sure have some stuff fixed/added this weekend. I’ve had not a lot of time to work on stuff this past week.

I just published a new update and I made some really stupid mistakes in the previous one (mainly not testing for blatant bugs before publishing). Things are working smoothly and I should be able to update the docs and get a github page going soon (by tomorrow at least).

Does it have something for a callback for a custom log?

The Hook API can be used for exactly that.

1 Like

How easy would it be to edit this, but instead of using loadstring use an interpreter like FIOne?

Probably not too difficult. You’d just need to change the call in the Context module and as long as it returns a function you’re good.

1 Like

I think(?) I have found a bug. It doesn’t look like a hook is returned by sandbox:Load()?

Another question, how can I access the sandboxed scripts stack?