[4.1.2 Problem][RuntimeBroker.exe Process]Injection Failed

c++ / delphi package - dll injection and api hooking
Post Reply
lovenamu
Posts: 24
Joined: Thu Dec 02, 2010 8:21 am

[4.1.2 Problem][RuntimeBroker.exe Process]Injection Failed

Post by lovenamu »

Hello.
I have the injection problem about RuntimeBroker.exe, which is used by the Skype App (UWP Apps: Universal Windows Platform).
( OS: Windows 10 Enterprise Version 1803, x64 )

Until madCodeHook 4.1.0, there is no injection problem.
Below screenshot shows the injection has succeeded.
I think that the RuntimeBroker.exe itself is not a UWP process but a plain process.
RuntimeBroker_hookingO.png
RuntimeBroker_hookingO.png (9.72 KiB) Viewed 149375 times
But after using madCodeHook 4.1.2, the injection problem has occurred.
RuntimeBroker_hookingX.png
RuntimeBroker_hookingX.png (17.55 KiB) Viewed 149375 times
Please, help me.
Thank you in advance
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Post by madshi »

Are you using the INJECT_METRO_APPS flag? If not, try using that.
lovenamu
Posts: 24
Joined: Thu Dec 02, 2010 8:21 am

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Post by lovenamu »

Great!!! It works.
Thank you.
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Post by _NN_ »

FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Post by iconic »

FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.
???

Edge doesn't start RuntimeBroker, any instances actually, instead an instance of SvcHost does this according to Process Explorer's parent process field anyway. All instances of RuntimeBroker.exe can also *still* be injected with unsigned modules without any issues on a default install of Windows 10 despite *some* process mitigations such as binary signature restrictions being in place (verified enabled mitigations with Process Hacker). Tested on Windows 10 x64 build 1809 - See images below
rtbroker_1.png
rtbroker_1.png (111.06 KiB) Viewed 149158 times
rtbroker_2.png
rtbroker_2.png (39.93 KiB) Viewed 149158 times
--Iconic
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Post by _NN_ »

I mean this RuntimeBroker.exe which runs MicrosoftEdgeSH.exe
Untitled.png
Untitled.png (12.54 KiB) Viewed 149155 times
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Post by iconic »

Yes, but you had it the other way around in your first comment, which is why I had to see for myself. Anyhow, Edge should never (based on security principles) spawn the broker, the broker would however spawn Edge or Edge's many other components. Regardless, tested again on 10 1809 x64 and I could still inject into MicrosoftEdgeSH's parent runtimebroker without doing anything special (hacks, modifications etc.) so it seems DLLs can still be injected that are non-MS signed.
1.png
1.png (75.24 KiB) Viewed 149153 times
2.png
2.png (23.89 KiB) Viewed 149153 times
--Iconic
Post Reply