search

hackf5 / unityspy

An open source MIT licensed rewrite of the now closed source HearthMirror (that's about 100 times faster than HearthMirror)
MIT License
32 stars 18 forks source link

Access denied when trying to open Hearthstone process #11

Open sebastientromp opened 4 years ago

sebastientromp commented 4 years ago

Hey,

I have a user who reported an "Access denied" issue with the following stack trace:

Access is denied
at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle(Int32 access)
at System.Diagnostics.Process.get_Handle()
at HackF5.UnitySpy.Util.Native.GetProcessModulePointers(ProcessFacade process)
at HackF5.UnitySpy.AssemblyImageFactory.GetMonoModule(ProcessFacade process)
at HackF5.UnitySpy.AssemblyImageFactory.Create(Int32 processId, String assemblyName)

Running the app in Admin mode solves the issue.

However it's difficult to ask users to run the app as admin. Are you familiar with this? Are you aware of a way to ask for less permissions, so that it might work in more restrictive environments?

Looking at the trace I'm not sure exactly what part is causing the issue. It looks like Native.EnumProcessModulesEx is the only thing that does some actual access here, so it's probably it?

hackf5 commented 2 years ago

has anyone else reported this? i can imagine that examining the memory space of another program is something that av software looks for.

sebastientromp commented 2 years ago

I see this pretty often in the logs, yes.

hackf5 commented 2 years ago

ouch. that could mean that some av's have blacklisted the dll. it might be worth contacting the av software company to see if anything can be done about it.

An interesting check would be to rename the dll and see if it still gets picked up. that would tell you whether it's being blacklisted by name or behaviour.

sebastientromp commented 2 years ago

I had one AV (I think it was Panda? Not sure anymore) who blacklisted it because of the name. Renaming is something we said we'd do, but unfortunately I haven't been able to spend much time on it recently.

hackf5 commented 2 years ago

Should just tell people to disable their av. They are the biggest viruses out there.

On Fri, Nov 12, 2021, 14:15 Sébastien Tromp @.***> wrote:

I had one AV (I think it was Panda? Not sure anymore) who blacklisted it because of the name. Renaming is something we said we'd do, but unfortunately I haven't been able to spend much time on it recently.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/hackf5/unityspy/issues/11#issuecomment-967149431, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALU56HPZYSCU5VXXPDN4TCDULUORRANCNFSM4JEDHXQA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.