Tool Unity Unity Malware Scanner

[Uncle Eugene]

Unity Malware Scanner​

Spoiler: Why?

You don't have permission to view the spoiler content. Log in or register now.

Requirements:

• Only for Windows
• Only for Unity.Mono (Unity game has "Managed" folder inside %Game%_Data folder)
• Requires internet connection (To download reference assemblies)

How to Use:

• Place AntiMalware.exe in game directory and run it, console window will be opened with all the info

How it Works:

1. Downloads reference assemblies from BepInEx endpoint (this part requires internet)
2. Checks if any of the official Unity assemblies have any extra instructions that seems malicious
3. Checks all the assemblies that are not part of Unity Engine to see if there are any instructions that seems malicious

Spoiler: Testing Results

You don't have permission to view the spoiler content. Log in or register now.

Safety Proof: I did not obfuscate the program, so you can open the source code and check it, also I'm kind of a trusted source on F95 already, but I wouldn't rely on this much, what if I get hacked?

Notes:
Scanner has a lot of false positives! I'm working on improving it, but adding more and more exceptions is just adding more loopholes for malware to get through, so better safe than sorry.
Don't rely on this scanner too much, it is not perfect, but definitely a tool to use for extra safety. If it says there is malware you probably shouldn't run the game and send the files here to manually verify if it's safe

Now the scanner fits in F95 attachments and it will be marked as a virus because it obviously uses "suspicious" functions to look deep inside a game, I can't fix that (or can, but don't want to)

 

[V1ncvega]

Spoiler: Console output

You don't have permission to view the spoiler content. Log in or register now.

Hi! I grabbed Third Crisis for testing - tried the Win and Win (GoG) versions from the thread, and also downloaded and installed the game separately using the official GOG installer. Checked all three - same result.
What do you think? How can I, as a regular user, tell if it’s a false positive or an actual detection?

 

[Uncle Eugene]

What do you think? How can I, as a regular user, tell if it’s a false positive or an actual detection?

I remember this game. You're raising a good question. Thanks for tests!
Probably it's up to me to develop better false positive detection looking at more legitimate usage cases.
When I first thought about the methods to detect suspicious functions in porn games I didn't think that so many games use System.Diagnostics.Process for some reason...
Didn't think about any real use cases to be honest

Would be nice to see more testing feedback, but for now I assume some devs like to use it to open windows explorer to show save file location.
Should be possible to make exception for that case

 

[Uncle Eugene]

Updated the scanner, it is now not that strict

-Improved false positive detection for some cases such as in Monster Girl Hunt and Third Crisis
-Disabled patcher since it didn't work properly
-Added final result message with verdict and description
-Added even more vulnerabilities to bypass detection, but also improved malicious code detection to stay balanced

Third Crisis still raises alert because of it's modding feature. If you know at least something about code you may figure out that it is false positive by yourself by looking at console output now

 

[Griinch]

Under Control still has malware according to your tool. But the exe is showing completely clean on Virus Total

 

[Uncle Eugene]

Under Control still has malware according to your tool. But the exe is showing completely clean on Virus Total

I've made a note in test results table, it has an obfuscator that uses exactly the same functions malware does. So it's impossible to verify if it's legit or malicious. You can decompile the game's code via DnSpy/ILSpy and look for yourself.
However I'm pretty sure the game does not contain viruses
You can also drop the obfuscated file in virus total, I think it will trigger a few AVs

File in question is Assembly-CSharp.dll

The idea behind scanner was to check as much as I can and look for any suspicious code in the game.
My logic was that there are functions, methods and DLLs, including low-level ones, that no porn game developer should ever touch to make such game.
Turned out devs do like to use some of them for various reasons from time to time:

Under Control: for hard obfuscation
Third Crisis: for modding tool (allowing people to load their own DLLs)
Lots of games: to open save file location in the explorer

I've made a check to test if game uses dangerous function to just open explorer.
So now it's only games with very suspicious code that needs attention and manual check are triggering false positive.
And if scanner says game is clean then there's very high chance it's clean since I leaned towards more false positives and less false negatives because I'm sure it's better to stay safe than ignore red flags

Even more info: scanner does not check the .exe file in any way, it scans the DLLs of the game with actual code that will be executed, virustotal won't see that while scanning .exe

 

[Uncle Eugene]

Updated the scanner

-Fixed an error that made malicious function calls considered non-malicious in some special cases
-Made scanner notify user when developer is likely to use risky functions legitimately instead of saying that the game is clean to prevent malware calling such functions unnoticed
-Heavily compressed the executable, now it fits in F95 attachments

 

[colobancuz]

I tested your scanner, most of my games turned out to be clean, but two flagged:
Nemurimouto v0.09 - as expected, I managed to download it before the virus warning appeared in the thread. If you want, I can send you the archive. For obvious reasons, I did not run the game.
School, Love & Friends v2.14 - I didn't expect this one. There are no warnings in the thread, and when I launched it in the sandbox, I didn't notice any suspicious activity.

Anyway, great scanner, keep up the good work!