This project has been temporarily paused until I finish writing an API wrapper to use Open Cloud instead of the Cookie API (as well as some other changes)
Co-Dev: @TheRealPixeluted
Hello! After having a fun rodeo debugging a backdoor on my now 5-day-old DevForum tutorial ( Detecting and Tracing Backdoors via Runtime Debugging) I decided to take things to the next level.
Having already had some fun with the Roblox API myself a few months ago, I decided to work towards something more interesting afterward.
This project takes a little bit of inspiration from things such as anti-backdoor plugins, mainly things like the classic Ro-Defender, which is simply a bunch of string.match on common backdoor items and then reporting them to the user, but instead of doing such on demand, I decided to build a small program to do it all from simple Toolbox API queries, all compressed into a simple Discord Bot for easier consumption.
There are no official plans for an API yet, or anything of that sort; there is no Roblox plugin for this either! Iām mainly testing the waters of what is possible currently with the resources I have available and the ~4 days I placed into the project and how accurate it is so far as well as how performant and efficient it is, and it is sadly something Iām not able to do myself without wasting far too much time thinking of query terms.
But I went too fast; let me explain how it works!
How does it work?
The bot works by first receiving a search query, then it is later executed via the ROBLOX API using endpoints (which do not need any kind of authorisation). After this, it collects all the Creator IDs, Asset IDs and some more metadata, such as if it has scripts or not. Then we discard models which have no scripts on them and begin requesting the assets (which does require authorisation); after download, theyāre kept in memory, as the toolbox normally gives you at most ~2K items per search term with luck, and models are not that big in general, and they are worth on average ~2GB of heap memory (which I have more than enough for on my development machine and on the small VPS that the bot is running on)
Later, after all the assets have been downloaded, we have a small piece of code that contains āanalyzersā, which has two analysis methods BasicAnalysis, ModelAnalysis. The first one is very simple. It just takes the raw data and performs very optimised AOB (Array of Bytes) scans. These allow us to quickly check the strings in the model, and if thereās the possibility of false positives, such as one of the checks I have (named funnily enough Suspicious string on model; JobId and require found in model.), which allows it to use ModelAnalysis, in which we use a modified version of MaximumADHD/Roblox-File-Format: A C# library designed to make it easy to create and manipulate files in Robloxās serialised DOM. to deserialise and process the raw bytes into a structure that represents our model. In that check we can check the scripts individually, instance values, etc. Which is much more precise in general.
However, the way Roblox-File-Format handles memory was not particularly efficiently, so I had to modify quite a bit of it to improve the memory performance at the cost of maintainability somewhat, but it is very much worth it, reducing what was previously a lot of GC time spikes to almost none and memory consumption dropping immensely (Not to fault Max, as the library is originally .NET Fx 4.7.2, and Iām on .NET 9, so thereās a lot of things that can be improved thanks to the new runtime changes)
However, I digressed; the main point is that it somewhat works like a scanner for assets, in short.
- Gets asset list from a query
- Discards assets which arenāt potentially malicious
- Downloads all assets which remain
- Perform basic AOB checks
- If required, parse the model object and run more complex checks.
That is very much the way the bot works!
The bot, after finishing a query you provide, DMs you with the terms you used, as well as attaching a JSON with all the queriesā results, which you can parse and comb by yourself, perhaps for data analysis purposes, statistics, finding if you have any of these assets, building some sort of network with the actors behind these backdoorsā¦ etc.
However, as with every analysis tool, it contains false positives; during development, I have seen it false-flag things like legitimate admins, which occur due to how open my AOB checks are. At one point, I had to discard entire patterns, such as detecting getfenv, since there were too many legitimate scripts which used it (product of the vice of everyone to localise things, of which, please, if you still do that, look into GETIMPORT or just read the post I released about that a while ago, which details why you should NOT localise anymore.)
In other cases, I found an asset from 2009, and I thought, āThereās no way in hell this could be malicious!ā and I was right; it had tripped one of my AOBs regarding LBIs (Lua Bytecode Interpreter(s)) (which are used in some serversides to execute custom user code); for some reason the user had left a disassembly-like representation of old Lua5.1 bytecode, which had some strings that tripped my analyser in that way.
What about the data?
Currently, with possible false positives, we are talking of approximately 16620 malicious assets as of right now. I hope to improve the analyzers as much as possible while keeping the speed up; we are two developers on this; however, we are both somewhat busy, so continuous updates on the project are kind of iffy (work when we can)
You can make your own queries to the bot (up to two every two minutes to prevent overwhelming the bot) and see what you get as a reply. As of currently, we do not track the queries the bot is sent, so if you find anything that yields a high number of backdoors (aside from emojis, rp, hangout and roleplay) be sure to reach out, as we wipe our dev DB quite often, and finding many samples fairly fast is a task without queries that have frequent hits like this!
How can I access it?
We have a Discord bot in this Discord server. When you send a query, it is enqueued for resolving (the order of resolution is not deterministic!). Once it is resolved (takes a little bit over 2 minutes if the queue is empty), you will receive a DM by the bot that looks like this:
Which contains your query and the data (which I will attach here so you can see a sample of what is outputted by the bot)
assetdata.json (296.0 KB)
It is very easy to parse (thankfully), so you can make a visualiser or simply take a look at the JSON.
Closing statements
This project was born, very much, after seeing one help post from a user being frustrated with a backdoor infection, which later resulted in my tutorial against backdoors, and now on this, truly a chain of events that seem completely unrelated but together amount to great things, and seeing as the community tutorial has gotten a fair share of attention, I believe it is fair to follow up with a good resource like this.
The bot may be open-sourced once (this project) dies down; however, there is no specified date for that (+ there are still many improvements that can be done, Iād say, so this is just the beginning!)
In the future I may add a feature in which you can upload your own model files to check them, which I think would be perhaps one of the things that are most important; you just got a model, and you want to make sure (up to a certain degree) if thereās a possible backdoor ā no biggie!
As for additional things, I was able to get my hands on some assets from 2019, such as an SSd Infinite Yield script (how time movesā¦).
Hereās a list of seemingly old assets that have the intention of backdooring/exploiting-like but are benign:
- LBI false positive from 2009
- Synapse X UI
- Backdoor(put in workspace) [Yes, this is real, and an empty model.
]
By the way, the bot is written in C#; this isnāt Rust, if it wasnāt obvious. Iām not using rbx-dom and I wonāt change languages. 
As mentioned, this project is under heavy development, nothing is final and many things will change, detection will improve, the way to interface with it will changeā¦ etc, we are barely indev!
Happy querying and testing! 