search

0xnobody / vmpdump

A dynamic VMP dumper and import fixer, powered by VTIL.
GNU General Public License v3.0
1.15k stars 210 forks source link

What would cause ** Failed to open process? #14

Open lyhyl opened 3 years ago

lyhyl commented 3 years ago

I have try to run as admin but still cannot open process.

PS D:\Project\HWPCMgrInstaller\RE\patch dll> Get-Process "PCManager"

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    581      75    37064      80548       2.17  15732   1 PCManager

PS D:\Project\HWPCMgrInstaller\RE\patch dll> .\VMPDump.exe 15732 version.dll
** Failed to open process 0x3d74
SVz commented 3 years ago

Don't work with powershell, try with 'cmd'.

lyhyl commented 3 years ago

Don't work with powershell, try with 'cmd'.

It's the same (as admin)

D:\Sandbox>tasklist | findstr PCManager
PCManager.exe                 9832 Console                    1     86,220 K

D:\Sandbox>VMPDump.exe 9832 version.dll
** Failed to open process 0x2668
0x410c commented 3 years ago

To open any process with all_access, you need SeDebuPrivileges set in your process token, i dont think you did that!

can u fix it please? and provide release build

lyhyl commented 3 years ago

To open any process with all_access, you need SeDebuPrivileges set in your process token, i dont think you did that!

can u fix it please? and provide release build

PS C:\WINDOWS\system32> whoami /priv | findstr "SeDebug"
SeDebugPrivilege                          Debug programs                                                     Enabled
PS C:\WINDOWS\system32> tasklist | findstr PCManager
PCManager.exe                25436 Console                    1     87,232 K
PS C:\WINDOWS\system32> D:\Sandbox\VMPDump.exe 25436 version.dll
** Failed to open process 0x635c

Did I do it right?

mrsshr commented 3 years ago

it may be protected by a kernel driver or protected process light.

0x410c commented 3 years ago

i dont know if SeDebugPrivileges are inherited by the child process.

0x410c commented 3 years ago

I can Confirm even after Adding SeDebugPrivilege to the process(i edited the code and compiled), OpenProcess Fails it can be a protection feature of certain vmprotect versions?

1ucay commented 3 years ago

EDIT: Ok, It works only, if VMPDump.exe is located in C: I have same issue.

bowendeng commented 2 years ago

I had the same issue, and it turns out that the module name is case-sensitive. Changing it to the exact literal helped.

zyteresa commented 2 years ago

There are some problems with the latest V1.2, just use V1.1.

modz2014 commented 1 year ago

i get the same errror when my pid is 8800

VMPDump 2260 "" ep-0x1fb20 -disable-reloc ** Failed to open process 0x8d4