Remote script execution fails on Microsoft Store builds of python

[dariushoule]

Hello,

I've noticed that Microsoft Store builds of python fail when trying to execute python within remote processes (Windows 11 64-bit, Python 3.12 & 3.13 tested).

After activating python from the Windows store, reproducing is as simple as:

c = create_process(b"c:\\windows\\system32\\notepad.exe", dwCreationFlags=CREATE_SUSPENDED, show_windows=True)
c.execute_python('eval("1+1")')

Which results in:

Traceback (most recent call last):
  File "c:\redacted\inproc_dbg.py", line 36, in <module>
    context_at(0x00007FF600277401)
  File "c:\redacted\inproc_dbg.py", line 30, in context_at
    c.execute_python('eval("1+1")')
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\winobject\process.py", line 1135, in execute_python
    return injection.safe_execute_python(self, pycode)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\injection.py", line 429, in safe_execute_python
    t = execute_python_code(process, code)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\injection.py", line 399, in execute_python_code
    load_dll_in_remote_process(process, pydll_path)
  File "C:\Users\Rhonda\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\windows\injection.py", line 168, in load_dll_in_remote_process
    raise InjectionFailedError(u"Injection of <{0}> failed".format(dll_path))
windows.injection.InjectionFailedError: Injection of <c:\program files\windowsapps\pythonsoftwarefoundation.python.3.12_3.12.2288.0_x64__qbz5n2kfra8p0\python312.dll> failed

The thing that jumps out at me on store installations is there is a space in the DLL paths, whereas standard installs don't have one by default. Though take with a grain of salt because admittedly I haven't dug into the root cause yet.

I would be happy to dig in and submit a patch, but beforehand I wanted to understand a separate behavior in the injector. It seems that rpeb.Ldr is always null during DLL injection in my case, which also seems fishy.

I think there might be possibly two fixes here? One for perform_manual_getproc_loadlib* on Microsoft Store python builds, and one for Ldr being absent? I'd appreciate a gut-check that this sounds correct.

Thanks

[hakril]

Hi !

Thank you for the issue, indeed the injection fail for Microsoft Store builds looks like a bug. At first glance, I don't think the space in the DLL path would be the cause of the bug. I would rather lean towards a path problem, where the loader cannot find the dependencies of this python.dll. But it indeed need digging !
Do not hesitate to submit a patch, I will gladly discuss the reasons of the bug and your fix with you. Do not hesitate if you have questions about PythonForWindows during your explorations.

For the rpeb.Ldr is None, this is a normal behavior as you are starting your process with CREATE_SUSPENDED. I guess you do not resume it before injection as the rpeb.Ldr is filled by the process ntdll itself during initialization. So it's not a bug, perform_manual_getproc_loadlibX was precisely written to cover this case.

Cheers,
Hakril

PS: The injection with space works for me, so the MS-store bug is likely due to something else !

>>> import sys
>>> sys.executable
'C:\\Program Files\\Python311 Path With Space\\python.exe'
>>> import windows
>>> import windows.generated_def as gdef
>>> p = windows.utils.create_process(r"c:\windows\system32\winver.exe", dwCreationFlags=gdef.CREATE_SUSPENDED)
>>> p.execute_python("1 + 1")
True
>>> [x for x in p.peb.modules if "python" in x.name][0]
<RemoteLoadedModule "python311.dll" at 0x1a337dacf50>
>>> [x for x in p.peb.modules if "python" in x.name][0].fullname
'c:\\program files\\python311 path with space\\python311.dll'

[dariushoule]

Thanks for taking the time to explain the Ldr behavior to me @hakril. This makes perfect sense!

I'll do a little investigation on the dll loading and see if I can't propose a fix.

[dariushoule]

Addressed in #74 and #73

Closing this out 👍