-
Notifications
You must be signed in to change notification settings - Fork 0
Detection Rules
Haze4269 edited this page Dec 28, 2025
·
1 revision
MLVScan.Core includes 17+ specialized detection rules designed to identify malicious patterns in .NET assemblies.
These patterns are highly indicative of malicious intent and should almost never be whitelisted without expert verification.
| Rule | Description |
|---|---|
| Shell32Rule | Detects usage of shell32.dll to execute system commands. |
| LoadFromStreamRule | Detects loading assemblies from memory streams (often used to hide malicious payloads). |
| DataExfiltrationRule | Detects code attempting to send data to external servers (webhooks, FTP, sockets). |
| PersistenceRule | Detects attempts to add the mod to system startup or registry run keys. |
| COMReflectionAttackRule | Detects COM object instantiation via reflection (often used for advanced evasive attacks). |
| DataInfiltrationRule | Detects code designed to download and execute payloads from the internet. |
These patterns are dangerous but can occasionally be used by legitimate debugging or advanced modding tools.
| Rule | Description |
|---|---|
| ProcessStartRule | Detects Process.Start calls. While valid for launchers, it's often used to run malware. |
| ReflectionRule | Detects heavy use of Reflection to hide method calls or access private members. |
| RegistryRule | Detects attempts to read/write the Windows Registry. |
| EncodedStringLiteralRule | Detects strings hidden via numeric encoding arrays (stack strings). |
| DllImportRule | Detects P/Invoke calls to native libraries (User32, Kernel32, etc). |
| EncodedBlobSplittingRule | Detects large data blobs split into chunks to avoid signature detection. |
| EncodedStringPipelineRule | Detects complex string construction pipelines used for obfuscation. |
These patterns are suspicious but often found in legitimate mods (e.g., for asset loading).
| Rule | Description |
|---|---|
| Base64Rule | Detects Base64 encoding/decoding. Common in asset loaders but also used to hide strings. |
| HexStringRule | Detects large hex strings. |
| ByteArrayManipulationRule | Detects manual byte array manipulation, often used for decryption routines. |
Minor indicators that contribute to the overall risk score.
| Rule | Description |
|---|---|
| EnvironmentPathRule | Detects access to environment variables (e.g., %APPDATA%, %TEMP%). |
MLVScan uses a Contextual Scoring System. A single "Medium" flag (like Base64) won't typically disable a mod. However, if Base64 is used in the same method as Process.Start, the risk score escalates significantly.