Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remote script execution fails on Microsoft Store builds of python #72

Closed
dariushoule opened this issue Jan 20, 2025 · 3 comments
Closed

Remote script execution fails on Microsoft Store builds of python #72

dariushoule opened this issue Jan 20, 2025 · 3 comments

Comments

@dariushoule
Copy link
Contributor

dariushoule commented Jan 20, 2025
edited
Loading

Hello,

I've noticed that Microsoft Store builds of python fail when trying to execute python within remote processes (Windows 11 64-bit, Python 3.12 & 3.13 tested).

After activating python from the Windows store, reproducing is as simple as:

c = create_process(b"c:\\windows\\system32\\notepad.exe", dwCreationFlags=CREATE_SUSPENDED, show_windows=True)
c.execute_python('eval("1+1")')

Which results in:

Traceback (most recent call last):
  File "c:\redacted\inproc_dbg.py", line 36, in <module>
    context_at(0x00007FF600277401)
  File "c:\redacted\inproc_dbg.py", line 30, in context_at
    c.execute_python('eval("1+1")')
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\winobject\process.py", line 1135, in execute_python
    return injection.safe_execute_python(self, pycode)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\injection.py", line 429, in safe_execute_python
    t = execute_python_code(process, code)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\injection.py", line 399, in execute_python_code
    load_dll_in_remote_process(process, pydll_path)
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\injection.py", line 168, in load_dll_in_remote_process
    raise InjectionFailedError(u"Injection of <{0}> failed".format(dll_path))
windows.injection.InjectionFailedError: Injection of <c:\program files\windowsapps\pythonsoftwarefoundation.python.3.12_3.12.2288.0_x64__qbz5n2kfra8p0\python312.dll> failed

The thing that jumps out at me on store installations is there is a space in the DLL paths, whereas standard installs don't have one by default. Though take with a grain of salt because admittedly I haven't dug into the root cause yet.

I would be happy to dig in and submit a patch, but beforehand I wanted to understand a separate behavior in the injector. It seems that rpeb.Ldr is always null during DLL injection in my case, which also seems fishy.

I think there might be possibly two fixes here? One for perform_manual_getproc_loadlib* on Microsoft Store python builds, and one for Ldr being absent? I'd appreciate a gut-check that this sounds correct.

Thanks
@hakril
Copy link
Owner

hakril commented Jan 20, 2025

Hi !

Thank you for the issue, indeed the injection fail for Microsoft Store builds looks like a bug. At first glance, I don't think the space in the DLL path would be the cause of the bug. I would rather lean towards a path problem, where the loader cannot find the dependencies of this python.dll. But it indeed need digging !
Do not hesitate to submit a patch, I will gladly discuss the reasons of the bug and your fix with you. Do not hesitate if you have questions about PythonForWindows during your explorations.

For the rpeb.Ldr is None, this is a normal behavior as you are starting your process with CREATE_SUSPENDED. I guess you do not resume it before injection as the rpeb.Ldr is filled by the process ntdll itself during initialization. So it's not a bug, perform_manual_getproc_loadlibX was precisely written to cover this case.

Cheers,
Hakril

PS: The injection with space works for me, so the MS-store bug is likely due to something else !

>>> import sys
>>> sys.executable
'C:\\Program Files\\Python311 Path With Space\\python.exe'
>>> import windows
>>> import windows.generated_def as gdef
>>> p = windows.utils.create_process(r"c:\windows\system32\winver.exe", dwCreationFlags=gdef.CREATE_SUSPENDED)
>>> p.execute_python("1 + 1")
True
>>> [x for x in p.peb.modules if "python" in x.name][0]
<RemoteLoadedModule "python311.dll" at 0x1a337dacf50>
>>> [x for x in p.peb.modules if "python" in x.name][0].fullname
'c:\\program files\\python311 path with space\\python311.dll'

@dariushoule
Copy link
Contributor Author

Thanks for taking the time to explain the Ldr behavior to me @hakril. This makes perfect sense!

I'll do a little investigation on the dll loading and see if I can't propose a fix.

@dariushoule dariushoule mentioned this issue Jan 20, 2025
Merged
hakril added a commit that referenced this issue Jan 23, 2025
@hakril
Add tests to reproduce setup/errors of #72
ec4f240
@hakril hakril mentioned this issue Jan 24, 2025
Merged
hakril added a commit that referenced this issue Jan 24, 2025
@hakril
Add tests to reproduce setup/errors of #72
4254648
@dariushoule
Copy link
Contributor Author

Addressed in #74 and #73

Closing this out 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dariushoule @hakril