V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)

I am pretty sure it goes through all instances in the game (2k+).

print(#game:GetDescendants())

It includes roblox’s too.

1 Like

Just pushed a bug-fix to the plugin. If you’re using it make sure you’re on V2.1.3 or else the new addition to the known infections list will cause a lot of false positives! (My smart search function wasn’t working as intended and it was flagging anything found in the table instead of acting as a wildcard system like I had intended. Forgot 3 lines and it caused 150+ false positives when I added another infection with a lot of wildcards to it.)

2 Likes

For some reason I have two of the same plugin on my plugin bar.
2ofthesameplugin
Was this for the purpose if it failed to load one, it created a backup?

Hey there, dunno if this is still a relevant issue (since I think I’ve seen it earlier in the post)
But anyway, the ‘Scan for Infection’ button keeps spinning indefinitely. No errors pop up.

https://gyazo.com/cf68b1161085048ba542055f539f40ec

Plus, another anomaly I noted was that the plugin stated the following:
“Large game detected. Slowing scan to prevent CPU overload and/or Studio freeze-up.”
In a game that had about 5 parts (not including the character)

Thanks ahead of time :heart:

P.S. I just installed it too, so it probably shouldn’t have any ‘old version’ issues, right? :man_shrugging:

8 Likes

Please try to figure out what causes the “Scan For Infection” line to spaz out. Spazzing out plugin icon is offsetting no matter how often you use it.
Also, Consider changing the text to “Scanning for Infections” or “Cancel Scan”.

Additionaly, it would be nice to have some form of progress indicator.
Like, “Scanned 100 items” “Scanned 1K” … Or, if we count items first, “Scanned 1.2K of 3K” “Scanned N%”
For larger games, it often feels like its not doing anything but spinning. So it would be nice if it told us that we are, without a doubt, actually moving forwards. Update status every N seconds (lets say N=10 as default)

8 Likes

Agreed, it’s very difficult to tell whether or not it was actually scanning. I left it scanning for an hour, and it has not shown any progress whatsoever. Hopefully this gets fixed soon! :grinning:

39 Likes

The plugin detects other clean plugins and my own plugin scripts as viruses. It seems to be assuming every script in coregui is bad. Here is one of my scripts that it calls a backdoor:

script.Parent.MouseButton1Click:Connect(function()
if script.Parent.Value.Value == true then
	script.Parent.Value.Value = false
	script.Parent.Text = "Disabled"
else
	script.Parent.Value.Value = true
	script.Parent.Text = "Enabled"
end

end)

1 Like

This is because by default CoreGui is a hidden location. The plugin will flag any script found in hidden locations regardless of their source. You can alter this by changing the settings in the plugin to make it not view CoreGui as a hidden location if you want.

1 Like

Ok, but you should add a system where it checks if it’s a script from a well-known plugin at least.

1 Like

Roblox can’t support locating the plugin a script originated from at this time. The only similar option I would have is to add a source-whitelist where I’d have to update it every time the plugin maker alters their injected script.

1 Like

Wouldn’t you be able to go based off of certain words in the code or names? If not, that’s okay. But it’s kinda not a backdoor detector if it just detects litreally any script it finds…

“not a backdoor detector if it just detects litreally any script it finds” I strongly disagree. If there are scripts in locations not viewable to the client then it should be assumed to be an infection, especially since the exploit this plugin was originally intended to combat (which is now patched) would be located in an area where the plugin wouldn’t have the security context needed to be able to view the name or source of the script, only a rough estimate of it’s location thus leaving the plugin with no choice but to assume if a script is hidden away in an obscure location then it is a malicious script. I added the settings to customize the hidden locations for the sole reason that I understand that some services such as CoreGui are used by some developers and may be used by their plugins. If I only based it off of “certain words in the code or names” then that would open a giant vulnerability where a malicious script just has to add these words/names in order to bypass the scan entirely.

I think CoreGui should at least be more open to the user, and be turned off by default, or there should be a popup asking if u want it to scan that at setup.

otherwise plugin resources might get deleted, even yours. And i dont think plugin resources (mainly UI) come back that easily if they are deleted. Unless if you update or re-install the plugin.

The plugin follows the defaults of the ROBLOX studio which by default CoreGui is hidden unless enabled by the user. “plugin resources might get deleted, even yours” My plugin doesn’t inject any scripts into the game and there are multiple routes to prevent a false positive on a script you trust including allowing CoreGui or enabling script hashing whitelist. Also this plugin only scans for “Backpack” and script (Script, LocalScript, etc.) objects so it shouldn’t alter anyone’s UI. If you’d like to continue this I’d rather moving to the PMs/DMs so as not to continuously bump this thread with our disagreements.

k i have another arguement, ill dm u on roblox or on dev fourm

1 Like

This still work??? I got a hidden script that keep creating a RemoteEvent in ReplicatedStorage

What if the script is obfuscated though. Because I’m sure this plugin also looks for require’s and what if that require().load was obfuscated??

This no longer works. I get an infinite scan time.

It is better to just use the watch tool and search for ‘getfenv’ for ‘require’, as that is what most backdoors use.

These malicious scripts are normally named Fix, Weld, Debounce, and etc. They contain a comment that says something like “This is a script of ROBLOX”.

Sometimes the entire script looks blank, or there is a really long piece of code.

Just delete the right scripts and you will be fine! :smile:

3 Likes