-
Notifications
You must be signed in to change notification settings - Fork 0
Home
ifBars edited this page Feb 5, 2026
·
6 revisions
Welcome to the MLVScan.Core wiki! This is the comprehensive documentation for the cross-platform scanning engine that powers the MLVScan ecosystem.
- Home
- Getting Started
- Detection Rules
- Call Graph Analysis
- Data Flow Analysis
- API Reference
- Contributing
MLVScan.Core is a platform-agnostic NuGet package that provides deep IL (Intermediate Language) analysis and malware detection capabilities for Unity mod assemblies. It's the shared scanning engine used across:
- MLVScan - MelonLoader, BepInEx 5.x, and BepInEx 6.x (Mono & Il2Cpp) plugin
- MLVScanWeb - Blazor WebAssembly web application
- Platform Agnostic: Works with any .NET platform
- 17+ Detection Rules: Identifies various malicious patterns
- Call Graph Analysis: Consolidates findings with full attack path visibility
-
Data Flow Analysis: Tracks data movement to detect multi-step attacks
- Single-method and cross-method data flow tracking
- 7 recognized attack patterns (download-and-execute, data exfiltration, etc.)
- Parameter passing and return value tracking
- Multi-Signal Detection: Reduces false positives through contextual analysis
- Stream-Based Scanning: Scan from files or memory streams
- Extensible Rule System: Easy to add custom detection rules
- Zero Dependencies on Game Frameworks: Pure IL analysis with Mono.Cecil
var rules = RuleFactory.CreateDefaultRules();
var scanner = new AssemblyScanner(rules);
var findings = scanner.Scan("path/to/mod.dll");Detected high-risk DllImport of shell32.dll with suspicious function ShellExecuteEx -
Hidden in Southwards.ShellExecuteEx, invoked from: OnInitializeMelon
Call chain:
[ENTRY] NoMoreTrash.NoMoreTrashMod.OnInitializeMelon:150: Entry point calls ShellExecuteEx
-> [DECL] Southwards.ShellExecuteEx: P/Invoke declaration imports ShellExecuteEx from shell32.dll
See Call Graph Analysis for detailed documentation.
Data Flow Analysis Example:
[CRITICAL] Suspicious data flow: Downloads data from network, processes it, and executes as a program
Data Flow Chain (Confidence: 90%):
[SOURCE] WebClient.DownloadData → byte[]/string (network data)
→ [TRANSFORM] Convert.FromBase64String → byte[] (decoded)
→ [SINK] File.WriteAllBytes → Writes to file
→ [SINK] Process.Start → Executes process
See Data Flow Analysis for detailed documentation.
classDiagram
class AssemblyScanner {
+Scan(file)
+Scan(stream)
}
class IScanRule {
<<interface>>
+IsSuspicious(Method)
+Severity
+Description
}
class SignalTracker {
+AddSignal()
+GetRiskScore()
}
class CallGraphBuilder {
+RegisterSuspiciousDeclaration()
+RegisterCallSite()
+BuildCallChainFindings()
}
class MonoCecil {
<<External Lib>>
}
AssemblyScanner --> IScanRule : Uses 17+ Rules
AssemblyScanner --> SignalTracker : Tracks Context
AssemblyScanner --> CallGraphBuilder : Builds Call Chains
AssemblyScanner ..> MonoCecil : Reads IL
class Shell32Rule
class ProcessStartRule
class Base64Rule
IScanRule <|-- Shell32Rule
IScanRule <|-- ProcessStartRule
IScanRule <|-- Base64Rule
| Rule | Severity | Description |
|---|---|---|
| Shell32Rule | Critical | Windows shell execution |
| LoadFromStreamRule | Critical | Dynamic assembly loading |
| DataExfiltrationRule | Critical | Network data exfiltration |
| PersistenceRule | Critical | Auto-run mechanisms |
| COMReflectionAttackRule | Critical | COM-based attacks |
| ...and more | See Detection Rules |
-
Package Name:
MLVScan.Core - Repository: github.com/ifBars/MLVScan.Core
- NuGet: nuget.org/packages/MLVScan.Core
GPL-3.0-or-later