Harden anti-exploit tamper detection against function interception#2105
Open
realmaitreal wants to merge 3 commits into
Open
Harden anti-exploit tamper detection against function interception#2105realmaitreal wants to merge 3 commits into
realmaitreal wants to merge 3 commits into
Conversation
Author
|
I'm currently working on more tamper detection. |
Author
|
Added a load-time debug metadata snapshot of Detected and Kill, checked each tamper loop iteration via a pre-setfenv reference to debug.info. Since hookfunction mutates function objects in-place and changes their debug metadata, any hook is caught without calling Detected, defeating bypasses that pass the heartbeat sentinel through to the original. |
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes to
MainModule/Client/Core/Anti.luauRationale
The existing tamper detection loop relied on calling
debug.info(Detected, ...)toverify that
Detectedhad not been modified. This approach can be neutralised byintercepting
debug.infoat the environment level, causing the tamper loop to stallindefinitely. Additionally,
while true do endwas used as a response to detectedtampering, which Roblox kills via script timeout — rendering enforcement ineffective.
Changes
debug.infoas a local (rawDebugInfo) beforesetfenvalters theenvironment, preserving a direct reference to the original C function independent
of later environment-level changes.
Kill's debug metadata (source,line,name) at module load time forlater integrity comparison.
debug.infocalls incheckStack,isMethamethodValid,and the xpcall error handlers with
rawDebugInfo._heartbeatSeq) incremented by the realDetectedbody when called with action"_". The tamper loop checks this counterto verify
Detectedis executing its actual implementation, rather than relying solelyon
debug.infointrospection ofDetected(which can be intercepted).Killby comparing its currentdebug.infometadataagainst the snapshot taken at load time.
while true do endenforcement responses with the properDetected(...)+pcall(Disconnect, ...)+pcall(Kill, ...)+pcall(Kick, Player, ...)chain already used elsewhere in the file.
while true do endis killed by Roblox'sscript timeout and provides no actual enforcement.