none
Cannot inject .dll in browser_broker.exe in Win10 RRS feed

  • Question

  • Hi!
    I am building a .dll that needs to be loaded inside browser_broker.exe (an MS Edge process that has medium integrity). I inject it from another .exe using the CreateRemoteThread approach.
    It has been working fine until Windows 10 Fall Creators Update.
    My .dll nor any other non-microsoft .dll can be injected. I Tried with a signed Chrome .dll, or any other library from other vendors but there is no way.
    It seems the Code Integrity is involved here, because in the event viewer in "Applications and services\Microsoft\Windows\CodeIntegrity\Operational" says:
    "Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\browser_broker.exe) attempted to load \Device\HarddiskVolume2\<.dll path> that did not meet the Microsoft signing level requirements."

    I checked and my computer is a "fresh" PC and no special code integrity policy has been added.

    Can it be that by design it is like this? I know that for some system processes it's like this but as it affects .dlls and probably drivers, I think that system-AV will also be rejected thus it's an entry point for any virus because this browser_broker.exe module takes care when a file is downloaded in the computer not giving the chance to the system-antivirus to know that a file is being created in the file-system.

    Also this version of Windows introduces something called "Windows Defender Device Guard", maybe it's this.

    Is there a way to create a kind of code-integrity policy to allow my .dll to be loaded here?

    Thanks in advance.

     

    Wednesday, November 1, 2017 9:48 AM