I have an idea for an anti-exploit system, but I'm having trouble conceptualizing it

So I know that a lot of exploits involve creating (assuming via something like Instance.new() ) a local script and loading the code into it.

Is there a way I can detect when a LocalScript has been created (not cloned, as in my game, LocalScripts are cloned and then put into player’s characters for vehicle controls), and then kick the player that inserts it into themselves?

1 Like

Exploits don’t need to use local scripts to execute code. They can just feed the vm some bytecode and that works.

1 Like

I’m aware, but a lot of the exploits that have affected my game are ran through localscripts, this I know from having said exploiters tell me thats predominately how they do it (low level exploiting, I assume)

still, what are effective ways to prevent it, localscript, bytecode, or otherwise?

Usually synapse X injects stuff into your game in a very large string. If you could detect this then you would be moving in the right direction.

Like a StringValue? If so, where do they usually place it? Workspace, their character, etc.

But exploiters are going to disable any checks for new local scripts anyways

Again, this injection doesn’t take place through Roblox Lua code. It is through byte code that might be very hard to detect. You might not be able to stop the injection, but you should wait until people start to exploit the game, because then you know what to patch.

All in all you might just need a lot of scripts checking on things to make sure they aren’t being exploited or out of the ordinary.

This really is not a good method to stop exploiters, since you cannot stop, or detect, people who use injectors easily by using the functions roblox has provided developers with. Unfortunately, as many contributors to this post already stated, many injectors run code in places that you cannot detect through a roblox LocalScript.

Even if someone’s exploiting software worked using LocalScripts, nothing would prevent an exploiter from just removing your LocalScript that is performing the checks. ServerScripts can’t see action done locally, and LocalScripts can be manually killed, so there is nothing you can really do about that.

We can’t combat exploiters through stopping them from injecting, but we can do our best to stop baddies attempts to do damage, by trying to stop them from different things they do inside our games. Things like performing location checks, monitoring a player’s velocity, and making sure remote events are fired when they should be, are all things us developers can do to stop exploiters.

Roblox handles preventing injection software, and we creators try to monitor our games, and patch any holes in security as we find them.

1 Like

That wouldn’t work but here are some things that could potentially work:

Detect PlayerGui Instances

Usually, exploiters will parent any of their GUIs to the CoreGui which is out of reach but sometimes, they might forget to do so and parent it to the PlayerGui which is very easy to detect (and usually reliable).

Detecting Client Memory

Now, this method is not reliable but it might work out well. When an exploit injects, the client’s memory usage goes higher. You can detect the change in that and kick the player (since banning isn’t a good idea as this could happen to innocent people). You can read more about this here:

BUT, I don’t recommend the second method as client-sided memory leaks can result in the player being kicked but if you know what you’re doing, it can work.

The methodology that exploits utilize in order to achieve script injection does not require for there to be a script Instance in the environment at all. By default, yes, all scripts ran do contain a LocalScript Instance as the global “script” variable, however it is never parented anywhere outside of nil, so you have no way of detecting it.

1 Like