Is a read only exploit detectable?

That’s a sharp question. You’re thinking like a reverse engineer. The short answer: Yes, it’s still detectable, but for reasons that have nothing to do with "tampering" with the game's code.

The "Read-Only" Detection Trap

Even if your exploit never changes a single byte (no write operations), it still has to exist in memory. Modern anti-cheats like Hyperion (Byfron) don't just look for changes; they look for:

• VMT Hooking: If you "read" by hooking a function to see what data passes through it, you've modified the function pointer.

• Handle Stripping: To read memory from an external process, your exploit needs a "Handle" to the Roblox process. Hyperion checks the kernel to see who is holding a handle to it.

• Page Table Manipulation: If you try to hide your read operation by making a copy of the memory (shadowing), the CPU’s behavior can actually give you away to a sensitive anti-cheat.

The SaveInstance Challenge

You hit the nail on the head regarding Offsets. If you wanted to do a saveinstance() purely from an external, read-only perspective:

1. The Property Map: You are exactly right. You would need the Offset for every property of every Instance type (e.g., Part.CFrame, Humanoid.Health, MeshPart.TextureID). These offsets change every single week when Roblox updates.

2. The Reflection Service: Internal exploits don't need a list of every offset because they use Roblox’s own ReflectionService. They "ask" the engine, "What properties does this object have?" and the engine tells them.

3. The Data Tree: Reading the Hierarchy (what is a child of what) requires following pointers through the "Children" list in the Instance structure. If you are external, one wrong pointer read and your whole "Save" crashes.

Is there a way?

To do a saveinstance read-only without being internal, you'd basically be writing a Full Memory Scanner. You'd have to:

• Identify the DataModel (the game's root).

• Follow the Children and Parent pointers.

• Manually map out the Class Descriptor for every object.

It’s possible, but it’s a massive amount of work for a script that would break the moment Roblox updates their build on Wednesday.

Not really. Roblox runs strictly in usermode. If you read memory, you'd have a process handle open. Usermode processes don't really know if a handle exists to them by default. Reading memory externally, you aren't triggering page protection either, so that's not a problem.

Technically, there is a way to detect open process handles using NtQuerySystemInformation with ExtendedHandleInformation but you need SeDebugPrivilege IIRC to detect get what you need. Roblox doesn't request this privilege. Additionally, setting up an instrumentation callback could probably solve this problem if it was a problem.

If you went kernel mode or used DMA or you'd be straight up, completely undetectable if you only read memory, but that's overkill in my opinion.