The problem with CoreGui is that any indexing of it with a roblox script will error with a permission error. However, I found out that exploiters can parent the Gui under game:GetService'CoreGui'
and operate it fine.
This is a problem because now we have a blind spot that exploiters can use, and even if we had a way to find and delete their guis, how would we test it out with Roblox scripts?
Currently erroring code
local a=game:GetService'CoreGui'; a.DescendantAdded:Connect(function(b) --> error end);
The short answer is, you can't.
Regular LocalScripts lack the permission required to add/remove things from CoreGui, while script injectors don't have this restriction.
There used to be a method of calling tostring
on objects added into CoreGui, but Roblox removed this for some reason, apparently because you shouldn't be allowed to tostring restricted instances.
The best thing you can do in this case is secure your code. If you cant stop it at it's source just make sure your game is exploit proof where you can make it exploit proof.