So I know that a lot of exploits involve creating (assuming via something like Instance.new() ) a local script and loading the code into it.
Is there a way I can detect when a LocalScript has been created (not cloned, as in my game, LocalScripts are cloned and then put into player’s characters for vehicle controls), and then kick the player that inserts it into themselves?
I’m aware, but a lot of the exploits that have affected my game are ran through localscripts, this I know from having said exploiters tell me thats predominately how they do it (low level exploiting, I assume)
still, what are effective ways to prevent it, localscript, bytecode, or otherwise?
Again, this injection doesn’t take place through Roblox Lua code. It is through byte code that might be very hard to detect. You might not be able to stop the injection, but you should wait until people start to exploit the game, because then you know what to patch.
This really is not a good method to stop exploiters, since you cannot stop, or detect, people who use injectors easily by using the functions roblox has provided developers with. Unfortunately, as many contributors to this post already stated, many injectors run code in places that you cannot detect through a roblox LocalScript.
Even if someone’s exploiting software worked using LocalScripts, nothing would prevent an exploiter from just removing your LocalScript that is performing the checks. ServerScripts can’t see action done locally, and LocalScripts can be manually killed, so there is nothing you can really do about that.
We can’t combat exploiters through stopping them from injecting, but we can do our best to stop baddies attempts to do damage, by trying to stop them from different things they do inside our games. Things like performing location checks, monitoring a player’s velocity, and making sure remote events are fired when they should be, are all things us developers can do to stop exploiters.
Roblox handles preventing injection software, and we creators try to monitor our games, and patch any holes in security as we find them.
That wouldn’t work but here are some things that could potentially work:
Detect PlayerGui Instances
Usually, exploiters will parent any of their GUIs to the CoreGui which is out of reach but sometimes, they might forget to do so and parent it to the PlayerGui which is very easy to detect (and usually reliable).
Detecting Client Memory
Now, this method is not reliable but it might work out well. When an exploit injects, the client’s memory usage goes higher. You can detect the change in that and kick the player (since banning isn’t a good idea as this could happen to innocent people). You can read more about this here:
BUT, I don’t recommend the second method as client-sided memory leaks can result in the player being kicked but if you know what you’re doing, it can work.
The methodology that exploits utilize in order to achieve script injection does not require for there to be a script Instance in the environment at all. By default, yes, all scripts ran do contain a LocalScript Instance as the global “script” variable, however it is never parented anywhere outside of nil, so you have no way of detecting it.