MLVScan.Core is a cross-platform malware detection engine for .NET assemblies, powered by IL analysis (Mono.Cecil). It serves as the scanning backbone for MLVScan (MelonLoader, BepInEx 5.x, and BepInEx 6.x Mono/Il2Cpp) and MLVScan.Web (Blazor).
Most modders download mods from trusted sites like Thunderstore or NexusMods, where files are typically already scanned by VirusTotal. This catches most plain viruses—but sophisticated threats often slip through.
MLVScan acts as your second line of defense. It specifically targets:
- Virus Loaders: Malicious DLLs designed to download additional payloads
- Obfuscation Techniques: Code that hides its true purpose from standard AV
- Stealthy Payloads: Threats that don't match known signatures
Think of it as the checkpoint after VirusTotal—catching what traditional scanners miss.
dotnet add package MLVScan.Coreusing MLVScan.Services;
var rules = RuleFactory.CreateDefaultRules();
var scanner = new AssemblyScanner(rules);
var assemblyPath = "path/to/suspicious.dll";
var assemblyBytes = File.ReadAllBytes(assemblyPath);
var findings = scanner.Scan(assemblyPath).ToList();
var result = ScanResultMapper.ToDto(
findings,
Path.GetFileName(assemblyPath),
assemblyBytes);
Console.WriteLine($"{result.Disposition?.Classification}: {result.Disposition?.Headline}");
if (result.ThreatFamilies?.Count > 0)
{
foreach (var family in result.ThreatFamilies)
{
Console.WriteLine($"Matched family: {family.DisplayName} ({family.FamilyId})");
}
}
foreach (var finding in result.Findings)
{
Console.WriteLine($"[{finding.Severity}] {finding.RuleId}: {finding.Description}");
}The scanner emits rule findings as the foundational evidence, but the primary verdict comes from the threat-intel layer: matched threatFamilies and the final disposition built on top of those findings.
Complete documentation is available in the MLVScan.Core Wiki
- Platform Agnostic: Works on Windows, Linux, Web (WASM).
- Multi-Signal Detection: Context-aware analysis reduces false positives.
- Stream Support: Scan files from memory without writing to disk.
- Deep Behavior Analysis: Correlates practical decode/load/execute behavior chains in compiled code.
Licensed under GPL-3.0