Ways to Find Backdoors

Hello!
Recently, I have been working on my antivirus plugin, and I would like to know your common ways of detecting backdoors!
These can be:

  • Malicious plugins/models
  • Malicious IDs
  • Your personal method
  • What backdoors can do

I will use all the ideas you guys have to implement into my plugin, which you can also implement into your every day Roblox development.

3 Likes

I don’t really know what you mean. but I could choose that some free models contain a malicious script that can cause us to redirect to some other game

So maybe plugins/models?

Moved Category to #developmentchat:devhelp

I’m sure there’s something out there already similar to this type of plugin that allows a lot of developers and creators to protect their game from any sort of backdoors you can get from your game. A lot of typical ways they are implemented into a game would be through use of a malicious file or plugin the user has downloaded infecting the game in some sort of way.

Another good way some people have been able to infect a game with a virus would be through scamming the user to download a free sourced model that they feel would be beneficial towards their game, however it’s infected with a code to execute on the server or client for exploitable tendencies.

I would generally suggest you make this able to detect require or script in code to assist the user with getting rid of the specified code that is infecting their game as it’s the most beneficial way to assist newer developers and creators with their game who don’t know much about back doors or how to remove malicious code or files.

Yes, the plugin that I’ve linked does exactly just that, this post is basically a mega-thread asking for common ways to detect this malicious scripts and implement them into my plugin.

And yes, this searches for requires, getfenv, basically anything you can imagine that can be malicious.

you can check the source for all the keywords!

1 Like

How does this detect malicious scripts and make sure that they’re not ones made by developers currently working on the game? Also, was this made using Roblox Lua, or some other programming language?

This is a Roblox Studio plugin, so it needs to be coded in Lua.

It’s almost impossible to tell if an official developer has made the script (the developer could’ve infected the game, i don’t know). If the user is getting false positives, they can whitelist the script name to prevent detections from happening with that name.

Ah, nice. Sounds cool man! Message me when this plugin’s updates and stuff have been completed! :smiley:

1 Like

I posted some criticism on your original post, plz take into account the context
As I said before, doing require(2329183) is sus, but doing require(workspace.Mod) isn’t.
Same thing with getfenv and setfenv, doing getfenv(["whatever the require bytecode is"]), is more suspicious than getfenv(2)["yomama"] = 2 there isn’t a good use for getfenv anyway.

You can do this either with string patterns or sandboxing, string patterns is the easiest though.
For instance, to check if the require is requiring numbers
string.match(source, "require%(%d+%)").

Next, you should also load in and scan plugins in the users inventory for possible malicious code, same thing with models.

The problem with using this is that it can easily be bypassed.

local o = require
local Joint = 1234

o(Joint) -- easily bypasses method.

Then you could sandbox the script as I said.


loadstring([[local ACTUALREQ = require
function require(t)
if type(t) == "number" then
print("hackerman")
else
return ACTUALREQ(t)
end
end

]]..source)

You’d have to add more to spoof RunService:IsStudio() and things like that, though it’s a good baseline.
Because loadstring is generally not on, you’d have to enable it first (if you can via plugin), or use a Loadstring module.

Plugins like Kronos already sandbox scripts, because of the handy detection they add.

1 Like

Kronos is a competitor to GameGuard Antivirus.
You can get it here (I don’t recommend.)

Hm, I guess you’ll just have to make GameGuard better than Kronos. :stuck_out_tongue: I believe in you! (Tbh GameGuard is probably already better)

2 Likes

I personally don’t use kronos, so I can’t say for sure that it’s better, but just looking at the features it does look more secure.
Main reason being is that it scans your installed models and plugins for possible malicious code, so you know where the viruses are coming from.

I am actually working on that feature currently :wink:
Expect that to be the next update!

3 Likes

Searching through scripts made in the game, aka that look really odd.
Looking for scripts in anything I use aka free model wise.
Detecting ODD behaviour.
Turning off those new settings for places.

I would recommend to flag set things like teleports, getfenv, requires, marketplace, these are commonly exploited.

Also, would be cool for it to show the entire line aka instead of just the name aka getfenv it also shows whats after.

I use Ctrl Shift F in my game and search for either require or getfenv. If I find one I either delete it or find it’s source

tbh finding them yourself is more fun + easier + less prone to false (positives/negatives)

you should also be auditing the code of the plugins/free models you use
if the code is obfuscated then it is trying to hide the fact it is putting a backdoor or virus into your game

1 Like

I won’t personally find a use for this since since I rarely use free models for various reasons, but typically the usage of getfenv is enough to flag a script as suspicious at the very least (since no-one would want to disable some of Luau’s optimizations as well) .

Since you can’t assume context as well, one effective way you could check for Backdoors would be to utilize information from a megathread such as

since the same “viruses” being passed around isn’t too uncommon, though this shouldn’t be relied upon entirely since there will always be newer ones potentially, of course.

What about further string manipulation?

local s = testScript.Source 
local def =  s:match("local.-(%w+).-%=.-require") # inline comments can be used to bypass %s based patterns, so  use . to check for any character

if def then return s:match(def..(".-%(%s?.-%d+")) or "clean" end
# -- no need to match completely
1 Like

I search for all of these already! :+1:

All you really need to search is getfenv and require, since they are the only ways a backdoor can load up.