Is making a hook whitelist system bad?

As i went through some old anti cheat threads, getting ways to improve mine, I noticed something, why do none of them use a hook whitelist system?

Is there something wrong with them?

So far no anti cheat I’ve seen uses one, and it shocks me, since it is such an easy thing to do.

Can you elaborate on what you mean?

Getting all the hooks on a server(hook whitelist), put them in a file, and every so often check if a client has any hooks that aren’t on that list.

Basically checking for any hooks that shouldn’t exist on the client.

local hooks = hook.GetTable()
function hook.GetTable()
return hooks

Often times hooks are created with ‘dynamic’ names like “MyGamemode_PlayerDeath_Entity%entindex%” where %entindex% would be a number that is different per-entity. This isn’t the best example but it does happen in quite a few places. So you would either have to create a wildcard system that can whitelist “MyGamemode_PlayerDeath_Entity.*” or use some other system. But it can always be easily bypassed, so its a lot of work for a faulty system.

You’d have to whitelist the source of the hook function and not the hook names themselves since a lot of things use temp hooks or even temp hooks with an entity or panel identifier.

IMO this is not a fundamentally horrible idea, but the biggest problem I see (besides the easy workaround Kevlon posted) is that the server owner would have to update the whitelist whenever anything is changed in lua. I can’t think of an automated way to do this besides, say, marking some users as ‘safe’ non-hackers and automatically adding any hook found on them. In reality it would more thank likely get a lot of false-positives every time the server adds new client hooks.

Of course, if there’s no autokick/ban without an admin going over the detected potential hacks, then there’s no real risk, similar to a recent thread’s screen capture anticheat. A human must decide, based on the recorded info, that there was a hacker… Then the faulty hook can be added to a blacklist and autokick future cheaters with the same cheat.

Sure, it’s a game of cat and mouse, but then it always is.

I like the idea but I don’t see how possible it would be…

Back in the ‘good old days’ (2010-2012) when people were constantly writing cheats and anticheats - trying to beat each other for fun; it was a thing.

Up until 2009/10, people were using concommand and hook blacklists. This made bypassing anticheats trivial. In 2010, hook whitelists became a thing. Generally how you would do it was to override the hook.Add function, allow whitelisted hooks, deny and log serverside non-whitelisted hooks. This allowed you to log them in the same format as the whitelist, so a human could easily add to whitelists.

Then, people got around that by overriding hook.Call. Who needs to use hook.Add if you have total control over the hook system, right? Anticheat developers then retaliated by deleting hook from _G and forcing the game to use their version.

This started the ‘cat and mouse’ game of who loads first by naming files creatively (enum/!.lua , etc) and moving on to injection via dll in menustate. The natural progression was for anticheat developers to detect code running that shouldn’t be. Mine did this by running a checksum on lua’s memory usage on load and call stack count and uploading it to the server and comparing to other player’s with automatic kicking and manual banning. The only false positive of note, was when Garry joined my (non-beta) server with an unreleased development version of GMod.

And finally, garry enabled VAC on baconbot and sethhack; banned most known cheat developers with his anticheat ‘GAC’ and Seth got arrested for denial of service attacks. FIN. I’m not sure what people are up anticheat/cheat wise since the end of 2011.


Well there’s still HAC, and after 2011 there was QAC - a AC with a shity attempt at a automatic whitelist for lua source validation on few calls. As soon as I heard about it I made my own account on coderhire, made my own ac & bypassed it to show how shity it was a nd got lots of sales. I quit as ch closed due to support being annoying. Then !cake wrote his own ac called CAC for a new script selling site called “scriptfodder” and got lots of $ too. I decided to give making acs a try again, but with a serverside one. However, due to lazyness that project ended up being not really supported much and eventually died out. So yeah, nearly every server is running CAC now. Some still run LeyAC ( even though it’s broken out of box ) or QAC. There are many private acs too, but most of them are just c+pd or underdeveloped.