Page 1 of 1

[4.1.2 Problem][RuntimeBroker.exe Process]Injection Failed

Posted: Wed Jan 16, 2019 2:57 am
by lovenamu
Hello.
I have the injection problem about RuntimeBroker.exe, which is used by the Skype App (UWP Apps: Universal Windows Platform).
( OS: Windows 10 Enterprise Version 1803, x64 )

Until madCodeHook 4.1.0, there is no injection problem.
Below screenshot shows the injection has succeeded.
I think that the RuntimeBroker.exe itself is not a UWP process but a plain process.
RuntimeBroker_hookingO.png
RuntimeBroker_hookingO.png (9.72 KiB) Viewed 5976 times
But after using madCodeHook 4.1.2, the injection problem has occurred.
RuntimeBroker_hookingX.png
RuntimeBroker_hookingX.png (17.55 KiB) Viewed 5976 times
Please, help me.
Thank you in advance

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Posted: Wed Jan 16, 2019 9:00 am
by madshi
Are you using the INJECT_METRO_APPS flag? If not, try using that.

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Posted: Thu Jan 17, 2019 8:38 am
by lovenamu
Great!!! It works.
Thank you.

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Posted: Tue Mar 12, 2019 6:07 pm
by _NN_
FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Posted: Wed Mar 13, 2019 1:00 am
by iconic
FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.
???

Edge doesn't start RuntimeBroker, any instances actually, instead an instance of SvcHost does this according to Process Explorer's parent process field anyway. All instances of RuntimeBroker.exe can also *still* be injected with unsigned modules without any issues on a default install of Windows 10 despite *some* process mitigations such as binary signature restrictions being in place (verified enabled mitigations with Process Hacker). Tested on Windows 10 x64 build 1809 - See images below
rtbroker_1.png
rtbroker_1.png (111.06 KiB) Viewed 5759 times
rtbroker_2.png
rtbroker_2.png (39.93 KiB) Viewed 5759 times
--Iconic

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Posted: Wed Mar 13, 2019 7:42 am
by _NN_
I mean this RuntimeBroker.exe which runs MicrosoftEdgeSH.exe
Untitled.png
Untitled.png (12.54 KiB) Viewed 5756 times

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Posted: Wed Mar 13, 2019 1:20 pm
by iconic
Yes, but you had it the other way around in your first comment, which is why I had to see for myself. Anyhow, Edge should never (based on security principles) spawn the broker, the broker would however spawn Edge or Edge's many other components. Regardless, tested again on 10 1809 x64 and I could still inject into MicrosoftEdgeSH's parent runtimebroker without doing anything special (hacks, modifications etc.) so it seems DLLs can still be injected that are non-MS signed.
1.png
1.png (75.24 KiB) Viewed 5754 times
2.png
2.png (23.89 KiB) Viewed 5754 times
--Iconic