Access denied when trying to open Hearthstone process

[sebastientromp]

Hey,

I have a user who reported an "Access denied" issue with the following stack trace:

Access is denied
at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle(Int32 access)
at System.Diagnostics.Process.get_Handle()
at HackF5.UnitySpy.Util.Native.GetProcessModulePointers(ProcessFacade process)
at HackF5.UnitySpy.AssemblyImageFactory.GetMonoModule(ProcessFacade process)
at HackF5.UnitySpy.AssemblyImageFactory.Create(Int32 processId, String assemblyName)

Running the app in Admin mode solves the issue.

However it's difficult to ask users to run the app as admin. Are you familiar with this? Are you aware of a way to ask for less permissions, so that it might work in more restrictive environments?

Looking at the trace I'm not sure exactly what part is causing the issue. It looks like Native.EnumProcessModulesEx is the only thing that does some actual access here, so it's probably it?

[hackf5]

has anyone else reported this? i can imagine that examining the memory space of another program is something that av software looks for.

[sebastientromp]

I see this pretty often in the logs, yes.

[hackf5]

ouch. that could mean that some av's have blacklisted the dll. it might be worth contacting the av software company to see if anything can be done about it.

An interesting check would be to rename the dll and see if it still gets picked up. that would tell you whether it's being blacklisted by name or behaviour.

[sebastientromp]

I had one AV (I think it was Panda? Not sure anymore) who blacklisted it because of the name. Renaming is something we said we'd do, but unfortunately I haven't been able to spend much time on it recently.

[hackf5]

Should just tell people to disable their av. They are the biggest viruses out there.

…

On Fri, Nov 12, 2021, 14:15 Sébastien Tromp ***@***.***> wrote: I had one AV (I think it was Panda? Not sure anymore) who blacklisted it because of the name. Renaming is something we said we'd do, but unfortunately I haven't been able to spend much time on it recently. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#11 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALU56HPZYSCU5VXXPDN4TCDULUORRANCNFSM4JEDHXQA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.