[4.1.2 Problem][RuntimeBroker.exe Process]Injection Failed

c++ / delphi package - dll injection and api hooking

[4.1.2 Problem][RuntimeBroker.exe Process]Injection Failed

Postby lovenamu » Wed Jan 16, 2019 2:57 am

Hello.
I have the injection problem about RuntimeBroker.exe, which is used by the Skype App (UWP Apps: Universal Windows Platform).
( OS: Windows 10 Enterprise Version 1803, x64 )

Until madCodeHook 4.1.0, there is no injection problem.
Below screenshot shows the injection has succeeded.
I think that the RuntimeBroker.exe itself is not a UWP process but a plain process.

RuntimeBroker_hookingO.png
RuntimeBroker_hookingO.png (9.76 KiB) Viewed 644 times


But after using madCodeHook 4.1.2, the injection problem has occurred.

RuntimeBroker_hookingX.png
RuntimeBroker_hookingX.png (17.62 KiB) Viewed 644 times


Please, help me.
Thank you in advance
lovenamu
 
Posts: 10
Joined: Thu Dec 02, 2010 8:21 am

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Postby madshi » Wed Jan 16, 2019 9:00 am

Are you using the INJECT_METRO_APPS flag? If not, try using that.
madshi
Site Admin
 
Posts: 10008
Joined: Sun Mar 21, 2004 5:25 pm

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Postby lovenamu » Thu Jan 17, 2019 8:38 am

Great!!! It works.
Thank you.
lovenamu
 
Posts: 10
Joined: Thu Dec 02, 2010 8:21 am

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Postby _NN_ » Tue Mar 12, 2019 6:07 pm

FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.
_NN_
 
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Postby iconic » Wed Mar 13, 2019 1:00 am

FYI RuntimeBroker.exe process which is started from MicrosoftEdge is not eligible to be injected since it is started with Microsoft Only Dll policy.


???

Edge doesn't start RuntimeBroker, any instances actually, instead an instance of SvcHost does this according to Process Explorer's parent process field anyway. All instances of RuntimeBroker.exe can also *still* be injected with unsigned modules without any issues on a default install of Windows 10 despite *some* process mitigations such as binary signature restrictions being in place (verified enabled mitigations with Process Hacker). Tested on Windows 10 x64 build 1809 - See images below

rtbroker_1.png
rtbroker_1.png (111.43 KiB) Viewed 427 times


rtbroker_2.png
rtbroker_2.png (40.07 KiB) Viewed 427 times


--Iconic
iconic
Site Admin
 
Posts: 873
Joined: Wed Jun 08, 2005 5:08 am

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Postby _NN_ » Wed Mar 13, 2019 7:42 am

I mean this RuntimeBroker.exe which runs MicrosoftEdgeSH.exe
Untitled.png
Untitled.png (12.6 KiB) Viewed 424 times
_NN_
 
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: [4.1.2 Problem][RuntimeBroker.exe Process]Injection Fail

Postby iconic » Wed Mar 13, 2019 1:20 pm

Yes, but you had it the other way around in your first comment, which is why I had to see for myself. Anyhow, Edge should never (based on security principles) spawn the broker, the broker would however spawn Edge or Edge's many other components. Regardless, tested again on 10 1809 x64 and I could still inject into MicrosoftEdgeSH's parent runtimebroker without doing anything special (hacks, modifications etc.) so it seems DLLs can still be injected that are non-MS signed.

1.png
1.png (75.54 KiB) Viewed 422 times


2.png
2.png (23.98 KiB) Viewed 422 times


--Iconic
iconic
Site Admin
 
Posts: 873
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 6 guests

cron