madshi.net

Hello.
I have the injection problem about RuntimeBroker.exe, which is used by the Skype App (UWP Apps: Universal Windows Platform).
( OS: Windows 10 Enterprise Version 1803, x64 )

Until madCodeHook 4.1.0, there is no injection problem.
Below screenshot shows the injection has succeeded.
I think that the RuntimeBroker.exe itself is not a UWP process but a plain process.
But after using madCodeHook 4.1.2, the injection problem has occurred.
Please, help me.
Thank you in advance

Are you using the INJECT_METRO_APPS flag? If not, try using that.

Great!!! It works.
Thank you.

FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.

FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.

???

Edge doesn't start RuntimeBroker, any instances actually, instead an instance of SvcHost does this according to Process Explorer's parent process field anyway. All instances of RuntimeBroker.exe can also *still* be injected with unsigned modules without any issues on a default install of Windows 10 despite *some* process mitigations such as binary signature restrictions being in place (verified enabled mitigations with Process Hacker). Tested on Windows 10 x64 build 1809 - See images below
--Iconic

I mean this RuntimeBroker.exe which runs MicrosoftEdgeSH.exe

Yes, but you had it the other way around in your first comment, which is why I had to see for myself. Anyhow, Edge should never (based on security principles) spawn the broker, the broker would however spawn Edge or Edge's many other components. Regardless, tested again on 10 1809 x64 and I could still inject into MicrosoftEdgeSH's parent runtimebroker without doing anything special (hacks, modifications etc.) so it seems DLLs can still be injected that are non-MS signed.
--Iconic