V2.1 - Plugin: Hidden Backdoor/Infection Script Detector (Detects/Removes infections from malicious plugins)

Decided to see if this plugin worked, I didn’t even think the place I was in had any viruses until it scanned and returned 300 infected instances, thank-you so much for this plugin!

2 Likes

I’ve always used this single line for backdoor detection. :stuck_out_tongue:
for _, x in pairs(game:GetDescendants()) do pcall(function() if x:IsA("Script") then if string.match(x.Source, "require") then print(x:GetFullName()) end end end) end
Won’t work too good if you have a lot of modules…

2 Likes

I ran it and it found a script as a virus (it wasn’t so I just ignored it), but then if I scan again the scan icon keeps loading and never finds anything so it just runs for eternity. Is that suppose to happen if it finds nothing? Why not make a prompt saying that it found nothing instead of running for eternity?

edit: it appears a few times it will say Infecton not found, but other times it will run for eternity (its been 30 minutes theres no way its still scanning)

Unfortunately that doesn’t work for descendants of RobloxScript locked instances because they inherit the permission of its parent.

2 Likes

Plugins can access RobloxLocked instances? Didn’t know that… :frowning:

The way RobloxLocked instances work is kind of funny, actually. You can get a reference to an object through whatever means (usually GetService or FindFirstChild) and do whatever you want with it, including setting the parent of something to it, but if it’s RobloxLocked you can’t index it directly.

Plugins can access normal RobloxLocked Instances like the CoreGui just fine, but stuff like the CSGDictionaryService requires elevated permissions so you can’t directly index them. That’s why this plugin is a thing to begin with. I mentioned RobloxScript locked specifically because of this weirdness.

I have a bit of a more in-depth explanation for permissions here if you’re interested. It’s mostly unrelated but it defines script permissions and what RobloxScript means.

They can’t access them or their children through normal means (i.e. game:GetService(“CSGDictionaryService”):GetChildren() will error) but you can set something’s parent to them (i.e. local Test=Instance.new("Script") Test.Source="--No print plz" print("Changed source") Text.Parent = game:GetService("CSGDictionaryService") print("Parented to RL object") wait() Test.Source="--Whoops, this won't work since it is now a descendanct of a RL script context level 6 parent" will change the source (to stop an unremovable Hello world console print) then parent the new script to the RL service but by doing so it will lose access to indexing or otherwise altering the script.) This is an engine permissions glitch that roblox intends to correct but for now a lot of malicious plugins are abusing this to inject backdoors into protected services in order to hide them from the developer and gain server-side execution access for them to execute whatever they’d like into the developer’s game.

6 Likes

I’m having a concerning problem, and without this plugin I don’t think I would’ve found it. Every time I start a new game in Studio and run a virus scan it always detects 2 infections. This can even be a baseplate and it still detects it. So what happens now? Is my Roblox infected or something? How can I get rid of those two viruses?

Check your plugins, try removing them one by one and seeing which you have to disable to stop this plugin from detecting them.

1 Like

Ah that fixed it, thanks. I found a phony Plugin and got rid of it and the viruses don’t pop up anymore. I still have a problem of being unable to show a DestroyedMenu though. I don’t know whether if it was because of a bad plugin or if Roblox Studio was missing some files. Here’s my output when I right click on assets from the ToolBox.

16:25:45.061 - Unable to show a destroyed menu
16:25:45.062 - Stack Begin
16:25:45.062 - Script ‘Plugin_-1.Plugin.Core.Components.Asset.Asset’, Line 152 - field method
16:25:45.062 - Script ‘Plugin_-1.Plugin.Libs.Roact.SingleEventManager’, Line 41
16:25:45.064 - Stack End

1 Like

That’s a bug with the ToolBox plugin. Nothing to be done about it for the moment. :slightly_smiling_face:

1 Like

So it’s a Roblox update issue? Wow here I was trying to backtrack my 100 plugins.

Yup. Just a bug with Roblox for the moment.

I’ve already posted a bug report here, if you like the post it will show support and it is more likely to be noticed by staff if not already.

Also yeah, I was confused at the error at first as well.

1 Like

I did this on Boho Salon too and I decided to store it on the old version, then I updated and it’s just been running on and on and I know it’s still there as I checked for myself in the XML file.

1 Like

Lately whenever I press the Scan for Infection button, nothing really happens. The spinning circle icon doesn’t appear again, and no errors, warnings, nor other messages appear in the console. I’ve already tried reinstalling the plugin to no avail. What should I do?

1 Like

If you’re going to search for backdoors by checking source code for the phrase “require”, then add “\114\101\113\117\105\114\101” to your conditional, as it’s a common way to obfuscate “require”.

4 Likes

The icon doesn’t change due to an update from ROBLOX. I’ll likely be putting a GUI in to show the status of the scan now.

2 Likes

i never enable loadstring though

1 Like

Doesn’t matter. Apparently you can use getfenv with that string and it’ll parse into “require” and work as if the script they injected said “require(x)” to begin with. Synapse Xen obfuscates code this way, and so do a handful of other scripts with obfuscated backdoors.

1 Like