How can I prevent loadstring from getting hooked like this

Question

Here I have a loadstring but attacker can just hook it and steal it's content like bellow. I want to make a anti hook so that it can be prevented.

-- Save copies of orignal functions
local o_load = _G["load"]
local o_loadstring = _G["loadstring"]
local o_unpack = _G["unpack"]
local o_pairs = _G["pairs"]
local o_writefile = _G["writefile"]
local o_print = _G["print"]
local o_tostring = _G["tostring"]

-- Dynamic function names
local load_name = tostring(_G["load"])
local loadstring_name = tostring(_G["loadstring"])
local tostring_name = tostring(_G["tostring"])

-- For multiple instances of loadstring or load being used
local files_loadstring = 1
local files_load = 1

-- Hide function names
_G["tostring"] = function(...)
    local args = {...}  
    local arg = o_unpack(args)
    
    if arg == _G["tostring"] then
        return tostring_name
    end
    
    if arg == _G["loadstring"] then
        return loadstring_name
    end
    
    if arg == _G["load"] then
        return load_name
    end
    
    local ret = { o_tostring(o_unpack(args)) }
    local value = o_unpack(ret)
    
    return value
end

-- Hook loadstring
_G["loadstring"] = function(...)
    local args = {...}
    o_print("loadstring called")
    
    local str = ""
    for k, v in o_pairs(args) do
        str = str .. o_tostring(v) .. " "
    end

    o_writefile("hook_loadstring"..o_tostring(files_loadstring)..".lua", str)
    o_print("file written to hook_loadstring"..o_tostring(files_loadstring)..".lua")
    files_loadstring = files_loadstring +1
    
    local ret = { o_loadstring(o_unpack(args)) }
    str = ""
    for k, v in o_pairs(ret) do
        str = str .. o_tostring(v) .. " "
    end
    
    return o_unpack(ret)
end

-- Hook load
_G["load"] = function(...)
    local args = {...}
    o_print("load called")
    
    local str = ""
    for k, v in o_pairs(args) do
        str = str .. o_tostring(v) .. " "
    end
    
    o_writefile("hook_load"..o_tostring(files_load)..".lua", str)
    o_print("file written to hook_load"..o_tostring(files_load)..".lua")
    files_load = files_load +1
    
    local ret = { o_load(o_unpack(args)) }
    str = ""
    for k, v in o_pairs(ret) do
        str = str .. o_tostring(v) .. " "
    end
    
    return o_unpack(ret)
end

-- bellow is the loadstring function with a lua and all it's content is getting hooked and writen in a file
loadstring("local a = 1;")()`

I tried using tostring(loadstring) to compare the function name to check if it's real or fake but attacker can just hook tostring as well and give original function name so my anti hook won't work at all. Also I can't do writefile = nil or print = nil so attacker can't print or write the file since he saved a copy of these functions on top of the file so his code will work always. How can I prevent my loadstring from getting hooked like this. Please help.
I just want my content inside loadstring not to be stolen.

You need to sandbox the untrusted code. If you're running the untrusted code in the same environment that your privileged code is running in, then you're hosed. — Colonel Thirty Two, Jan 22 '23 at 02:13
Usually, when someone asks how to prevent hooking loadstring, it's because they want their malware to be able to escape detection by security researchers, and you've provided no evidence to the contrary. — Joseph Sible-Reinstate Monica, Jan 22 '23 at 21:32

score 1 · Answer 1 · answered Jan 21 '23 at 12:09

loadstring being hooked implies that the attacker's code runs before your code and in the same environment. This implies that all functions of the global environment may be hooked - from loadstring over tostring and including the debug library. Thus, the only thing you may rely on (and even that is uncertain, depending on which software is interpreting your Lua) are "hard-wired" (e.g. syntactical) Lua language features. You can take a look at the complete syntax of Lua. Notice that all these are basic constructs that won't help you at all; everything advanced in Lua uses function calls and the global environment, which may be hooked.

Whatever loads these scripts would need to be patched to either (1) load everything in a separate, clean environment (2) protect the global environment or at least a few selected functions, but even then the "loader" could be tampered with to remove these "protections".

In conclusion, you can't reliably prevent or detect loadstring being hooked. If you are providing someone with code for them to run, that code inevitably has to run at some point, and at that point they will be able to "steal" it. The "best" you can do is obfuscate your code so that there is little benefit from stealing it.

Bottom line: As long as your software runs "on-premise" (on their machines) rather than "as a service" (on your machines), they will always be able to steal and analyze your code; all you can do is make it harder e.g. through obfuscation or checks (which may be circumvented however).

It can be prevented people have made it but it's not public since they selling protection like that. — Alvee, Jan 22 '23 at 11:58
I have explained why it can *not be prevented*. Just because people are selling something doesn't mean it works. As said, you can of course always implement elaborate checks, but all of them can ultimately be circumvented. — Luatic, Jan 22 '23 at 12:10
It does work I can't hook their load string and they are using loadstring 100% since there is no other way to get a lua from the cloud using HTTP and run it without loadstring . — Alvee, Jan 26 '23 at 11:48

How can I prevent loadstring from getting hooked like this

1 Answers1