Merge pull request #73 from dariushoule/windows_store_interpreter_tweaks

Improved behavior when running under Microsoft Store python interpreters

Author: hakril

docs/build/html/process.html

@@ -577,15 +577,20 @@ <h2><span class="section-number">2.1.3. </span>WinProcess<a class="headerlink" h
 <dl class="py method">
 <dt class="sig sig-object py" id="windows.winobject.process.WinProcess.execute_python">
 <span class="sig-name descname"><span class="pre">execute_python</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">pycode</span></span></em><span class="sig-paren">)</span><a class="reference internal" href="_modules/windows/winobject/process.html#WinProcess.execute_python"><span class="viewcode-link"><span class="pre">[source]</span></span></a><a class="headerlink" href="#windows.winobject.process.WinProcess.execute_python" title="Link to this definition">¶</a></dt>
-<dd><p>Execute Python code into the remote process.</p>
+<dd><p>Execute Python code in the remote process.</p>
 <p>This function waits for the remote process to end and
 raises an exception if the remote thread raised one</p>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>This method is incompatible with Microsoft Store builds of python, as the interpreter DLLs do not grant execute to Users.
+See workaround:  <a class="reference external" href="https://github.com/hakril/PythonForWindows/tree/master/samples/process/msstore_interpreter_remote_python.py">https://github.com/hakril/PythonForWindows/tree/master/samples/process/msstore_interpreter_remote_python.py</a></p>
+</div>
 </dd></dl>
 
 <dl class="py method">
 <dt class="sig sig-object py" id="windows.winobject.process.WinProcess.execute_python_unsafe">
 <span class="sig-name descname"><span class="pre">execute_python_unsafe</span></span><span class="sig-paren">(</span><em class="sig-param"><span class="n"><span class="pre">pycode</span></span></em><span class="sig-paren">)</span><a class="reference internal" href="_modules/windows/winobject/process.html#WinProcess.execute_python_unsafe"><span class="viewcode-link"><span class="pre">[source]</span></span></a><a class="headerlink" href="#windows.winobject.process.WinProcess.execute_python_unsafe" title="Link to this definition">¶</a></dt>
-<dd><p>Execute Python code into the remote process.</p>
+<dd><p>Execute Python code in the remote process.</p>
 <dl class="field-list simple">
 <dt class="field-odd">Return type<span class="colon">:</span></dt>
 <dd class="field-odd"><p><dl class="field-list simple">
@@ -596,6 +601,11 @@ <h2><span class="section-number">2.1.3. </span>WinProcess<a class="headerlink" h
 </p>
 </dd>
 </dl>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>This method is incompatible with Microsoft Store builds of python, as the interpreter DLLs do not grant execute to Users.
+See workaround:  <a class="reference external" href="https://github.com/hakril/PythonForWindows/tree/master/samples/process/msstore_interpreter_remote_python.py">https://github.com/hakril/PythonForWindows/tree/master/samples/process/msstore_interpreter_remote_python.py</a></p>
+</div>
 </dd></dl>
 
 <dl class="py method">

docs/source/sample.rst

@@ -69,6 +69,20 @@ Output
 
 .. _token_sample:
 
+
+Microsoft Store Python Injection
+''''''''''''''''''''''''''''''''
+
+Python execution in remote process fails with Microsoft Store builds of pythons (`mspython`), as the interpreter DLLs do not grant execute to Users.
+This sample shows a workaround by user https://github.com/dariushoule by copying needed mspython files to a temporary directory and injecting those instead.
+
+.. literalinclude:: ..\..\samples\process\msstore_interpreter_remote_python.py
+
+Output
+
+.. literalinclude:: samples_output\process_msstore_interpreter_remote_python.txt
+
+
 Token
 """""
 

docs/source/samples_output/process_msstore_interpreter_remote_python.txt

@@ -0,0 +1,15 @@
+PS C:\Users\hakril\PythonForWindows> py .\samples\process\msstore_interpreter_remote_python.py
+Executable is: C:\Users\hakril\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.13_qbz5n2kfra8p0\python.exe
+Trying normal execute_python()
+    Exception during proc1.execute_python():
+    InjectionFailedError('Injection of <c:\\program files\\windowsapps\\pythonsoftwarefoundation.python.3.13_3.13.496.0_x64__qbz5n2kfra8p0\\vcruntime140.dll> failed')
+Trying mspython workaround:
+    Executing python code!
+Injecting: C:\Users\hakril\AppData\Local\Temp\pfw_dllcache\vcruntime140.dll
+Injecting: C:\Users\hakril\AppData\Local\Temp\pfw_dllcache\python313.dll
+    Executing more python code!
+    Executing an error python code!
+        Expected error during safe_execute_python
+        b'Traceback (most recent call last):\n  File "<string>", line 1, in <module>\nNameError: name \'BAD_VARIABLE\' is not defined\n'
+   Sleeping a little
+   Killing target process !

samples/process/msstore_interpreter_remote_python.py

@@ -0,0 +1,148 @@
+# Some python interpreters run in environments with restrictive ACLs (no Users/* execute) on bundled DLLs.
+# The Microsoft Store version of python is the prime example of this.
+#
+# Remote execution of python is still possible by creating a minimal set of the dependencies outside of the restricted directory.
+#
+# This can be very helpful when operating PFW in environments with restrive GPOs / AppLocker.
+
+
+import ctypes
+import glob
+import os
+import shutil
+import tempfile
+import time
+import sys
+import struct
+
+import windows
+from windows.generated_def.ntstatus import STATUS_THREAD_IS_TERMINATING
+from windows.generated_def.windef import CREATE_SUSPENDED
+from windows.generated_def.winstructs import PROCESS_INFORMATION, STARTUPINFOW
+from windows.injection import RemotePythonError, \
+    find_python_dll_to_inject, get_dll_name_from_python_version, inject_python_command, load_dll_in_remote_process, retrieve_exc
+
+
+print("Executable is: {0}".format(sys.executable))
+
+CACHE_DIR = os.path.join(tempfile.gettempdir(), 'pfw_dllcache')
+INTERPRETER_DIR = os.path.dirname(find_python_dll_to_inject(64)) # Tailor bitness to your needs
+
+
+def mspython_acl_workaround(target, pydll_path):
+    """
+    Works around mspython ACL restrictions on mspython interpreters
+    by copying the critical DLLs to a TEMP dir and orienting the interpreter
+    against that TEMP dir.
+    """
+
+    if not os.path.exists(CACHE_DIR):
+        os.mkdir(CACHE_DIR)
+
+    for dll in [os.path.join(INTERPRETER_DIR, 'vcruntime140.dll'), pydll_path]:
+        cache_dll_path = os.path.join(CACHE_DIR, os.path.basename(dll))
+        try:
+            # Creates a copy of the DLL without bringing over restrictive ACLs
+            shutil.copyfile(dll, cache_dll_path)
+        except Exception as e:
+            # If its not writeable good chance these DLLs are just already loaded somewhere
+            print(e)
+
+        # Preloading python DLL and vcruntime so they don't get loaded from the path tree with restrictive ACLs
+        print("Injecting: {0}".format(cache_dll_path))
+        load_dll_in_remote_process(target, cache_dll_path)
+
+    for dll in glob.glob(os.path.join(INTERPRETER_DIR, 'dlls', '*')):
+        cache_dll_path = os.path.join(CACHE_DIR, os.path.basename(dll))
+        try:
+            # Dynamic lib DLLs with restrictive ACLs copied to unrestricted parent
+            shutil.copyfile(dll, cache_dll_path)
+        except Exception as e:
+            print(e)
+
+    target._workaround_applied = True
+
+
+# Adapted from windows\winobject\process.py
+def execute_python_code(process, code):
+    py_dll_name = get_dll_name_from_python_version()
+    pydll_path = find_python_dll_to_inject(process.bitness)
+
+    if not getattr(process, "_workaround_applied", None):
+        mspython_acl_workaround(process, pydll_path)
+    shellcode, pythoncode = inject_python_command(process, code, py_dll_name)
+    t = process.create_thread(shellcode, pythoncode)
+    return t
+
+
+def safe_execute_python(process, code):
+    t = execute_python_code(process, code)
+    t.wait() # Wait termination of the thread
+    if t.exit_code == 0:
+        return True
+    if t.exit_code == STATUS_THREAD_IS_TERMINATING or process.is_exit:
+        raise WindowsError("{0} died during execution of python command".format(process))
+    if t.exit_code != 0xffffffff:
+        raise ValueError("Unknown exit code {0}".format(hex(t.exit_code)))
+    data = retrieve_last_exception_data(process)
+    raise RemotePythonError(data)
+
+# Adapted from windows\injection.py
+def retrieve_last_exception_data(process):
+    with process.allocated_memory(0x1000) as mem:
+        execute_python_code(process, retrieve_exc.format(mem)).wait()
+        size = struct.unpack("<I", process.read_memory(mem, ctypes.sizeof(ctypes.c_uint)))[0]
+        data = process.read_memory(mem + ctypes.sizeof(ctypes.c_uint), size)
+    return data
+
+# First: show what happen when injecting mspython normally
+print("Trying normal execute_python()")
+proc1 = windows.utils.create_process(r"C:\Windows\system32\winver.exe")
+try:
+    proc1.execute_python("2 + 2 == 5")
+except Exception as e:
+    print("    Exception during proc1.execute_python():")
+    print("    {0}".format(repr(e)))
+proc1.exit()
+
+print("Trying mspython workaround:")
+proc_info = PROCESS_INFORMATION()
+StartupInfo = STARTUPINFOW()
+StartupInfo.cb = ctypes.sizeof(StartupInfo)
+windows.winproxy.CreateProcessW(
+    r"C:\Windows\system32\winver.exe",
+    dwCreationFlags=CREATE_SUSPENDED,
+    # Point PYTHONHOME to the interpreter dir so non-DLL libs can load
+    # Point PYTHONPATH to the newly created cache directory so DLL libs are loaded from there
+    lpEnvironment=('\0'.join('{}={}'.format(e, v) for e, v in os.environ.items()) + \
+                   '\0PYTHONHOME={}\0PYTHONPATH={}\0\0'.format(INTERPRETER_DIR, CACHE_DIR)).encode(),
+    lpProcessInformation=ctypes.byref(proc_info),
+    lpStartupInfo=ctypes.byref(StartupInfo))
+
+process = windows.winobject.process.WinProcess(pid=proc_info.dwProcessId, handle=proc_info.hProcess)
+
+print("    Executing python code!")
+safe_execute_python(process, """
+import windows
+windows.utils.create_console()
+print('hello from inside the suspended process!', flush=True)
+""")
+
+process.threads[0].resume()
+
+print("    Executing more python code!")
+safe_execute_python(process, """
+print('hello from inside the resumed process!', flush=True)
+""")
+
+print("    Executing an error python code!")
+try:
+    safe_execute_python(process, """BAD_VARIABLE""")
+except RemotePythonError as e:
+    print("        Expected error during safe_execute_python")
+    print("        {0}".format(e))
+
+print("   Sleeping a little")
+time.sleep(5)
+print("   Killing target process !")
+process.exit()

tests/test_process.py

@@ -4,9 +4,11 @@
 import os
 import sys
 import time
-import struct
+import ctypes
+
 import textwrap
 import shutil
+import re
 
 import windows
 import windows.pipe
@@ -26,8 +28,10 @@ def test_get_current_process_peb(self):
         return windows.current_process.peb
 
     def test_get_current_process_modules(self):
-        # Use sys.executable because executable can be a PyInstaller exe
-        assert os.path.basename(sys.executable) in windows.current_process.peb.modules[0].name
+        # Use module filename because this executable can be: 
+        # 1. A PyInstaller exe
+        # 2. A Windows App execution alias (Microsoft Store builds)
+        assert os.path.basename(windows.current_process.peb.ProcessParameters[0].ImagePathName.str) in windows.current_process.peb.modules[0].name
 
     def test_get_current_process_exe(self):
         exe = windows.current_process.peb.exe
@@ -36,12 +40,12 @@ def test_get_current_process_exe(self):
         exe.bitness ==  exe_by_module.bitness
 
     def test_current_process_pe_imports(self):
-        python_module = windows.current_process.peb.modules[0]
-        imp = python_module.pe.imports
-        assert "kernel32.dll" in imp.keys(), 'Kernel32.dll not in python imports'
-        current_proc_id_iat = [f for f in imp["kernel32.dll"] if f.name == "GetCurrentProcessId"][0]
-        k32_base = windows.winproxy.LoadLibraryA(b"kernel32.dll")
-        assert windows.winproxy.GetProcAddress(k32_base, b"GetCurrentProcessId") == current_proc_id_iat.value
+        k32_mod = windows.current_process.peb.modules[2]
+        imp = k32_mod.pe.imports
+        assert "ntdll.dll" in imp.keys(), 'ntdll.dll not in python imports'
+        fn_id_iat = [f for f in imp["ntdll.dll"] if f.name == "NtCreateFile"][0]
+        ntdll_base = windows.winproxy.LoadLibraryA(b"ntdll.dll")
+        assert windows.winproxy.GetProcAddress(ntdll_base, b"NtCreateFile") == fn_id_iat.value
 
     def test_current_process_pe_exports(self):
         mods = [m for m in windows.current_process.peb.modules if m.name == "kernel32.dll"]

windows/com.py

@@ -33,7 +33,13 @@ def init():
     return initsecurity()
 
 def initsecurity(): # Should take some parameters..
-    return winproxy.CoInitializeSecurity(0, -1, None, 0, 0, RPC_C_IMP_LEVEL_IMPERSONATE, 0,0,0)
+    try:
+        winproxy.CoInitializeSecurity(0, -1, None, 0, 0, RPC_C_IMP_LEVEL_IMPERSONATE, 0,0,0)
+    except OSError as e:
+        if e.winerror & 0xFFFFFFFF != gdef.RPC_E_TOO_LATE:
+            # RPC_E_TOO_LATE can happen when the python environment invokes CoInitializeSecurity before we get to it
+            # mspython builds do this consistently.
+            raise e
 
 
 class Dispatch(interfaces.IDispatch):

windows/winobject/process.py

@@ -1127,17 +1127,25 @@ def load_library(self, dll_path):
         return [m for m in self.peb.modules if m.baseaddr == dllbase][0]
 
     def execute_python(self, pycode):
-        """Execute Python code into the remote process.
+        """Execute Python code in the remote process.
 
         This function waits for the remote process to end and
         raises an exception if the remote thread raised one
-		"""
+
+        .. note::
+            This method is incompatible with Microsoft Store builds of python, as the interpreter DLLs do not grant execute to Users.
+            See workaround:  https://hakril.github.io/PythonForWindows/build/html/sample.html#microsoft-store-python-injection
+        """
         return injection.safe_execute_python(self, pycode)
 
     def execute_python_unsafe(self, pycode):
-        """Execute Python code into the remote process.
+        """Execute Python code in the remote process.
 
         :rtype: :rtype: :class:`WinThread` or :class:`DeadThread` : The thread executing the python code
+
+        .. note::
+            This method is incompatible with Microsoft Store builds of python, as the interpreter DLLs do not grant execute to Users.
+            See workaround:  https://hakril.github.io/PythonForWindows/build/html/sample.html#microsoft-store-python-injection
         """
         return injection.execute_python_code(self, pycode)