MLVScan.Core 1.0.0

.NET Standard 2.1 This package targets .NET Standard 2.1. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package MLVScan.Core --version 1.0.0
                    


                    

                
NuGet\Install-Package MLVScan.Core -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="MLVScan.Core" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="MLVScan.Core" Version="1.0.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="MLVScan.Core" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add MLVScan.Core --version 1.0.0
                    


                    

                
#r "nuget: MLVScan.Core, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package MLVScan.Core@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=MLVScan.Core&version=1.0.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=MLVScan.Core&version=1.0.0
                    


                            Install as a Cake Tool

MLVScan.Core

Core scanning engine for MLVScan - a security-focused scanner that detects malicious patterns in Unity mod assemblies.

Overview

MLVScan.Core is a platform-agnostic library that provides the core IL analysis and malware detection capabilities used by:

  • MLVScan - MelonLoader plugin for scanning mods at runtime
  • MLVScanWeb - Blazor WebAssembly web application for online scanning
  • Future BepInEx support - Coming soon

Installation

dotnet add package MLVScan.Core

Quick Start

Basic Usage

using MLVScan;
using MLVScan.Models;
using MLVScan.Services;

// Create scanner with default rules
var rules = RuleFactory.CreateDefaultRules();
var scanner = new AssemblyScanner(rules);

// Scan a file
var findings = scanner.Scan("path/to/mod.dll");

foreach (var finding in findings)
{
    Console.WriteLine($"[{finding.Severity}] {finding.Description}");
    Console.WriteLine($"  Location: {finding.Location}");
    if (!string.IsNullOrEmpty(finding.CodeSnippet))
        Console.WriteLine($"  Code: {finding.CodeSnippet}");
}

Stream-Based Scanning (Web/Memory)

// Scan from a stream (e.g., uploaded file)
using var stream = File.OpenRead("mod.dll");
var findings = scanner.Scan(stream, "mod.dll");

Custom Configuration

var config = new ScanConfig
{
    EnableMultiSignalDetection = true,
    DetectAssemblyMetadata = true
};

var scanner = new AssemblyScanner(rules, config);

Platform-Specific Assembly Resolution

For MelonLoader or BepInEx environments that need to resolve game assemblies:

// Implement IAssemblyResolverProvider
public class MyGameResolverProvider : IAssemblyResolverProvider
{
    public IAssemblyResolver CreateResolver()
    {
        var resolver = new DefaultAssemblyResolver();
        resolver.AddSearchDirectory("path/to/game/Managed");
        return resolver;
    }
}

// Use with scanner
var scanner = new AssemblyScanner(rules, config, new MyGameResolverProvider());

Architecture

MLVScan.Core/
├── Abstractions/
│   ├── IScanLogger.cs          # Logging abstraction
│   ├── NullScanLogger.cs       # No-op logger
│   ├── ConsoleScanLogger.cs    # Console output logger
│   └── IAssemblyResolverProvider.cs  # Assembly resolution abstraction
├── Models/
│   ├── ScanConfig.cs           # Configuration options
│   ├── ScanFinding.cs          # Detection result
│   ├── MethodSignals.cs        # Pattern tracking
│   └── Rules/                  # All IScanRule implementations
├── Services/
│   ├── AssemblyScanner.cs      # Main entry point
│   ├── TypeScanner.cs          # Type-level scanning
│   ├── MethodScanner.cs        # Method-level scanning
│   ├── InstructionAnalyzer.cs  # IL instruction analysis
│   ├── ReflectionDetector.cs   # Reflection-based attack detection
│   ├── SignalTracker.cs        # Multi-signal pattern tracking
│   └── Helpers/                # Utility classes
└── RuleFactory.cs              # Centralized rule creation

Available Detection Rules

Rule Description Severity
ProcessStartRule Detects Process.Start calls High
Shell32Rule Detects Windows shell execution Critical
Base64Rule Detects Base64 decoding operations Medium
DllImportRule Detects native DLL imports Medium/High
ReflectionRule Detects reflection-based invocation High
RegistryRule Detects registry manipulation High
LoadFromStreamRule Detects dynamic assembly loading Critical
EncodedStringLiteralRule Detects numeric-encoded strings High
DataExfiltrationRule Detects data sending to external endpoints Critical
PersistenceRule Detects persistence mechanisms Critical
COMReflectionAttackRule Detects COM-based shell execution Critical
And more... 17 rules total -

Multi-Signal Detection

The scanner uses a multi-signal detection system to reduce false positives. Benign operations (like base64 decoding) are only flagged when combined with other suspicious patterns in the same method or type.

License

GPL-3.0-or-later

Contributing

Contributions are welcome! Please see the main MLVScan repository for contribution guidelines.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Core netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.1 is compatible. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.1.7 50 2/16/2026
1.1.6 60 2/13/2026
1.1.5 96 2/1/2026
1.1.4 103 1/24/2026
1.1.3 95 1/22/2026
1.1.2 90 1/13/2026
1.1.1 101 1/4/2026
1.1.0 95 1/4/2026
1.0.0 117 12/13/2025