BackDoorFinder - a simple addon to find backdoors

BackDoorFinder
An addon for finding backdoors

**I made this addon because I was tired of scripters/coders putting backdoors in their code, as this isn’t a nice thing or respectful thing to do.

It’s quite annoying, as well, because the amount of scripters doing such a thing is growing.

It’s a WIP, please tell me if there are any bugs, etc.**

Features**


Global Function Checking: Will check if any of these global functions are ran, with a user-friendly table it’s easy to add functions.
Function Protection: Detoured/Copied functions will not interfere with the Logging System
Severity Rating: Functions in the table have a severity rating, which notifies the user how severe the function ran is. Also user friendly.
File Saving: When a function in the table is ran, it will save the log to backdoorfinder/file_ran_in


**

Big Update is here!
Update 2.0
— Added —**

  • Global Function Checking (Will check all functions from table if they’re run)
  • Added Function Protection:

http://puu.sh/j2Gq9/97af10cdb1.png

http://puu.sh/j2Ge3/be3acec24a.png

  • Optimized Code (removed needless if statements, etc)
  • Made file saving look better
  • Fixed Exploit
  • Added more functions to the table
  • Localized more functions to avoid detours
  • Made tables in the main table work for indexed functions (e.x debug.setfenv, http.Fetch)
    **
    — Removed —**
  • Removed if and end checking as this was inefficient and was prone to mess up
  • Removed Player.Kick and Player.Ban from the table as this would flag anticheats/adminmods
    **

Config



Enable - var: set to false to not run the addon (default true)
BackDoorFinder.Advertising - var: set if it should print out the message 'This server is running Tyguy's BackDoorFinder Addon' every few minutes (default false)
BackDoorFinder.AdvertisingDelay - var: set the delay of the print message in seconds (default every 5 minutes) if BackDoorFinder.Advertising is true


To Do List**

  • Add a function/command to delete the code running the function
    **

If you are running the addon, it is recommended to update - or if you don’t have it, and want it, download below
GitHub: https://github.com/tyguy550/BackDoorFinder

—Notes —**

  • This addon will show you calls by the functions in the table with information like where they were called - this does not mean it is a backdoor!
    It simply shows you what and where something in the table is called - recommended for scripters.
  • It is recommended to add ‘!!’ before the folder name, as this is supposted to speed up the load time of the addon,
    according to man with hat (GitHub replaces ‘!’ with ‘-’)
    **

Why aren’t you checking for RunString?

I’ll add that either now or in the next update (Do you mean a global check like I do with SteamID or add it to the table?)

Edit: added to table anyway

http://puu.sh/iYQet/e287dbc5fc.png

[lua]
hook.Add(“InitPostEntity”, “KThxBai”, function()

BackDoorFinder.bad = nil --kthxbypass

end)
[/lua]
I’ll be sure to add this to them malicious workshop addons later :v:

You probably want to prevent unauthorized modification to that table, but good luck.

fixed

You should use more unique filenames.

Fixed the table detour (hopefully)

http://puu.sh/iYSEc/77c5bdf75d.png

pushed to github

Any suggestions

Don’t forget CompileString, CompileFile, pcall, xpcall. RunStringEx, getfenv, setfenv, debug.getregistry, etc. Just adding stuff like kick, ban and RunConsoleCommand is just going to flag admin mods and people who don’t even try with backdoors.

anything that isn’t “sv_init.lua” would be better

Good idea.

edit: added to table

DIHD4dji43dade.lua

You should add Player:IPAddress() too.

very good idea :slight_smile: will add in next update

there’s a current bug i’m trying to fix, for normal scripters it’ll be hard for them to abuse it but for experienced ones it’s really easy.

Some anti-cheats rely on stuff like that so you should be rather careful when filtering it, since it looks like this is has a logging system, it could spam logs.

Currently the backdoorfinder only logs player.SteamID, the table is just used to show if any of the functions are being ran after the steamid check (so it shows if it’s a bad if statement)

edit: is there anyway to check if a function has been detoured?

If a C function is overwritten with Lua, you can check the debug info and see.

sorry sorry not what i meant, is there a way to know if a function has been copied? just a function i can use etc

debug.getupvalue

EDIT: Oh, I’m late.

Probably wanna check for http/fetch too, post while you’re at it aswell.

Thank you! The question I meant to ask though was how do I check if a function was copied?

Like:



a = RunConsoleCommand


Will do!