stump’s blog

I’m starting to use gpg.

This isn’t the first time that I have said to myself, “Hey, I should start using gpg!” I have had that idea twice before. And each of those times I made myself a key then just forgot about actually trying to use it and collect signatures on it. I never published those keys, and as time went by I forgot their passphrases.

I’m off to a much better start this time, as I cross-signed with my friend Asheesh today, published my key, and configured gpg integration in my MUA. So my new key will actually be seeing some use.

For those of you interested, my key ID is 9C121F46, and the fingerprint is C25D 9D2F F3F1 3D72 ADEB D54C F1DB 6C38 9C12 1F46. I uploaded my key to keys.gnupg.net and pgp.acm.jhu.edu. I will put this information on my contact page too.

(The svn won’t be going anywhere - further development in git will be mirrored into svn.)

I had been wanting to do this for some time, but I was finally convinced to do it when I had an hour-and-a-half-long power outage (and therefore lost Internet access) when I was about to commit a change to libfogg. The inability to do more work and keep clean development history without resorting to diffing out what would have been my commit really got to me.

Happy distributed hacking!

Since I’m starting to use this more regularly after precisely 16 months of sporadic activity (counting from the welcome post), I figured I’d analyze said welcome post and see how much of it I have managed to stick to.

Welcome to my blog of code, freedom, gaming, computing, and some other stuff. (I will say it now: most of my blogging will probably be software-related.)

How right that last part has been. Since establishing this and letting it (most of the time) just sit here, my computing focus has switched almost entirely to software. I just haven’t felt inclined to blog about the other stuff.

I have many software projects going on now. I am in the process of placing all of them onto my Subversion server, but the ones I work on the most are there. Check it out (literally) at https://svn.stump.jstump.com/svnroot/ (read-only - I commit through svn+ssh) or browse around at https://svn.stump.jstump.com/websvn/. Patches are always welcome! I will always post when I tag a release, including full build instructions.

It’s http://svn.jstump.com/r/ and http://svn.jstump.com/websvn/ now, but help is of course still welcomed. Some projects have even grown their own mailing lists and Trac instances now that I run my own VPS. I haven’t stuck to what I said about blogging releases, but I didn’t feel any were that major anyway - the only stuff with release tags is Python extension modules used by FoFiX (which I probably should move to the FoFiX repository). There’s stuff that’s nearing completion that is more blog-worthy though (if, say, the kexec project’s intentions are any guide to go by). Also, when I amass the willpower to rewrite lots of my infrastructure code, we’re going to git, as mentioned in my most recent post before this.

I write software for Windows and GNU/Linux; nearly all of it is under “GPLv3 or later”. I will post about specific software projects whenever something interesting happens.

Since that post, I have indeed maintained a habit of writing strictly cross-platform code unless there is a reason not to, and have stuck to the GPL wherever it makes sense.

I am an avid player of Dungeons and Dragons (version 2) and the Classic Marvel RPG. (My GM is the very best.) When it comes to downtime, it’s hard to beat rolling oddly-shaped dice. Knights of the Dinner Table is the most epic magazine.

The place in which I played in said campaign closed up in July 2009, and the campaign died with it, but I got involved with other campaigns around that time. Unfortunately, moving into college killed those, and nothing I have found since has been the same. (In a way, though, the timing of the closing of the store worked out for the best, as I’m not sure how well I could have borne having to leave that campaign behind were it still active.)

Until Stump GNU/Linux works (which is probably quite a long time from now), I primarily use Ubuntu and Debian. (Naturally, I will be “eating my own dogfood” once it’s feasible.) My preferred non-free OS is by far Windows Server 2003, and I know both Windows and GNU/Linux quite well (as both a user and an administrator). (Indeed, I have dabbled in Windows enough to gain a certification or two.)

I shelved Stump GNU/Linux very soon after that post but am interested in picking it back up again at some point. ‘03 is still my favorite non-free OS, even with Windows 7 now out, though 7 came close to unseating it.

See you when something interesting pops up

Yes, yes, yes…

For some patches and scripts that I contributed to the Performous project to help with Windows portability, I now have one more commit bit (since it’s git in this case, push access) to my name.

Probably the best part of deciding to contribute was actually learning git itself so I could maintain the history of my own changes even before I shared my changes with the other developers. This marks the first time I have made serious use of a DVCS of any kind, and I must say that I am impressed by the new workflows DVCS makes possible, especially those that would be nigh-on impossible under a non-DVCS such as my current VCS of choice, which is Subversion.

You can probably reasonably expect any new projects I create on jstump.com to use git unless there is a major reason to still use svn. I may even convert some of my other projects. (The main obstacle, of course, is forcefully shoving git into my awesomely-constructed current svn+trac+custom authentication setup. I guess we’ll see how that goes when I have some extra time on my hands.)

Performous is a GPLv2+ band rhythm game that started out with just vocal play and expanded into guitar and drums not too long ago; this is the opposite of how Frets on Fire X evolved. (My commit access to FoFiX was granted last New Year’s Day, and in that time I have arguably become one of its core developers. I will look back on my experiences working with FoFiX once I hit the one-year mark since it’s so close and I’ve digressed enough already.)

It’s a strange feeling, now having commit access to two projects that the uninitiated observer might say are directly competing. Things are friendly and fair, though, and I have only the best intentions for my participation in both.

Merry Christmas to all, and to all, happy hacking!

If you have ever had to py2exe a Python program using pyOpenGL, you know that it’s a painful, tedious, but above all unclean process. (Even back with 2.x, that “version” file was so troublesome, but here we have one of py2exe’s worst enemies: funky import hooks.)

I actually figured this out some time ago and have been using it in many of my projects; I first did it for Frets on Fire X (FoFiX), and now, upon finding a certain lack of this information elsewhere on the Internet, I’m bringing it to you here.

Other documents advocate excluding the OpenGL package from your distribution and manually adding it back in after you actually run py2exe.  However, it’s actually quite trivial to work around the weird import hooks.  The hooks don’t care whether import (well, really, __import__…) is operating the standard CPython way (loading modules and packages directly from the filesystem) or through zipimport, just as long as it returns something useful and doesn’t raise ImportError.  So we can just force the stuff that gets indirectly imported to be included when py2exe does its thing.

It’s a case of passing the necessary module names to py2exe via the py2exe includes option.  To do that, pass a dictionary as a keyword argument named options to setup. In that dictionary, assign the key py2exe to another dictionary. In that sub-dictionary, set includes to a list that contains (at least) the following strings:

OpenGL.platform.win32
OpenGL.arrays.ctypesarrays
OpenGL.arrays.numpymodule
OpenGL.arrays.lists
OpenGL.arrays.numbers
OpenGL.arrays.strings

(Note that you probably won’t need all of those array converters, and you may in fact need extra ones. Those should cover practically all use cases, though. FoFiX, which is a quite involved codebase, only needs those.)

If all goes well, everything that pyOpenGL 3.x needs to run should end up actually in the distribution (cleanly!) once py2exe is invoked with the new includes.

If you need to see an example of this in action, see FoFiX’s setup.py script, and all will become clear to you.

Happy py2exeing with pyOpenGL 3.x!

That’s right… as of some arbitrary time not too long before you read this, I have a Facebook account.

If you know me, you will know that I have generally shied away from social networking in the past.  But I finally realized that there’s no sense in doing so any longer.  (Being able to much more reliably stay in contact with my friends as I jump from high school to college is a very good thing.)

Don’t expect me to be glued to my account the way I know some people are.  I will check it regularly but not (always) constantly.

Every time I have not used of some sort of social technology and then started using it, I wondered why I did not start sooner.  Hopefully this is what will happen as I open this new chapter in my Internet life.

Wow, I just let this blog sit unused all year.  I’ll have to remember to use it more often.

Today I got to experience dealing with a nasty rootkit on my brother’s Windows machine.  I was successful, but the full story behind discovering and destroying the infection has a lot of interesting little twists and turns to it.

I first noticed that DNS lookups had suddenly become rather slow on my network.  This is not out of the ordinary due to my very buggy, flimsy router, but this time it was a fair deal worse than usual.

More weirdly, the router was quite happily handling tons of packets.  And the blinking lights were Internet, wireless (where my brother’s computer is), and my testbed Windows Server 2003 box that acts as my internal DNS and DHCP server when I’m not doing anything else with it.

Suspecting to find something a small bit out of the ordinary, I popped open Wireshark on my brother’s computer and was horrified to find that it was attempting to send out spam at an alarming rate.  (All those parallel DNS MX and A queries had brought some intermediate DNS server, most likely that of my router, to its knees.)  I immediately used the netstat command to locate the guilty process.

The process at fault was services.exe.  Immediately I knew that I wasn’t just dealing with a typical spambot - it had probably injected a thread into there to do its bidding.  And yet services.exe is a core system process…

I watched the spam flow for a short time to try to catch the spambot grab addresses from whatever entity is controlling it, when I noticed a binary blob get HTTP POSTed to a PHP script on grizimvozim.name, with another binary blob sent in reply.

I then filtered my Wireshark capture to HTTP requests so as to wait and see whether any other servers were being contacted.  No others were, so I made the domain in question resolve to 0.0.0.0 in the hosts file to see what would happen.  The spam stopped almost immediately upon the next request (which I knew happened due to the machine starting to broadcast for the name via NetBIOS upon it failing to resolve through DNS), and I started investigating in earnest.

Firing up Process Explorer, I looked in services.exe for any unknown DLLs.  There were none.  There were no services out of the ordinary running out of services.exe itself either.  Somewhat perplexed, I updated AVG’s definitions and carried out a full system scan, which turned up nothing.

Suspecting that whatever malware I was dealing with had entered via an exploit in some piece of software in the system (and was covering its tracks unbelievably well), I decided to update critical network-facing system components to try to prevent it from happening again in the future after I got to the bottom of this one.  It was when I attempted to perform a Windows update that I was led down the path of discovery of the true extent of the infection.

I could access Windows Update, but it errored out very early.  Microsoft’s recommendation for the specific error code I received was to stop the Automatic Updates service, clean out the temporary folder the AU service uses, and start the service again.

The service was already stopped, though it was set to automatic start.  I suspected that AU was one of those services that would just stop when it had nothing to do (in my case, since I have the AU functionality turned off, as I prefer to update the machine manually).  I cleaned the AU temporary folder, right-clicked the service, and chose Start.

“The system cannot find the file specified.”

I went into the service properties to verify the filename it was trying to execute.  It turns out that the AU service runs through svchost.exe, but the command line it was trying to use was “%fystemroot%\system32\svchost.exe -k netsvcs”.  Almost reflexively I started regedit and dug through to try to fix the spelling of the SystemRoot environment variable.

“Access is denied.”

Sure enough, whatever had perturbed the spelling of the command line had also revoked access to that Registry key.  I restored it to default permissions (inherit and pass through inheritable parent ACEs without modification), and tried to fix it again.  Same thing.

I opened Process Explorer again and combed for open handles to anywhere in the service area of the Registry.  I found nothing.

By this point I was sure I was dealing with a full-blown rootkit.  It would have to be kernel-based to do some of the things that it was doing.  I looked through the list of loaded kernel modules in Process Explorer and saw a .sys file named with eight random hexadecimal characters.

“net stop [those characters]“: no such service.  I figured as much.

The service key named with those characters came up existent but empty.  Suspecting that the rootkit was playing with the permissions on that key just like it did with the AU service key, I found that I could not even get to the permissions dialog for it without getting an error.

I found the .sys file in \windows\system32\drivers and tried to scan it with AVG via shell extension.  File not found.

I tried to open it in a hex editor for a quick look around.  File not found.

I tried to copy it into another folder.  File not found.

I refreshed the drivers folder.  File still very much there.

At this point, I rebooted into my rarely-used reserve installation of Windows on that computer to have a look around not (hopefully) under the influence of the rootkit.

I mounted the SYSTEM registry hive from the main Windows installation and went down to the service key for that driver.  One of the values was a base64-encoded string which I duly pasted into the base64.b64decode() function in an interactive Python prompt.  “grizimvozim.name” !

I duly changed the start type of the service from 1 (system - during the pulsating progress bar phase of bootup) to 4 (disabled) and renamed the driver for good measure.  I also looked for more information on “fystemroot” and found that malware that does that to AU also tends to do that to BITS (which Windows Update relies on), and sure enough the BITS command line was misspelled too.  I fixed the permissions and spelling on both and rebooted into the main installation.

Sure enough, no more references to grizimvozim in an extended Wireshark session, Windows Update worked once again, and AVG nuked the driver for being Win32/Rustock.M as soon as I tried to open it in a hex editor.

Upon looking for information about Rustock, I was only able to get information for earlier generations of it, but their injection of spambot threads into critical system processes (winlogon.exe rather than services.exe, though) is well documented.  I saw that some forms would gain access to the kernel by unloading a rarely-used driver (such as null.sys or beep.sys), overwriting it, and reloading it, but all the rest of the drivers checked out free of infection.

Moral of the story: I may not use Windows all that much, but I certainly know my way around it, enough to find a kernel-based rootkit and stop it in its tracks.  Stump 1, Rustock zip.

Welcome to my blog of code, freedom, gaming, computing, and some other stuff.  (I will say it now: most of my blogging will probably be software-related.)

I have many software projects going on now.  I am in the process of placing all of them onto my Subversion server, but the ones I work on the most are there.  Check it out (literally) at https://svn.stump.jstump.com/svnroot/ (read-only - I commit through svn+ssh) or browse around at https://svn.stump.jstump.com/websvn/.  Patches are always welcome!  I will always post when I tag a release, including full build instructions.

I write software for Windows and GNU/Linux; nearly all of it is under “GPLv3 or later”.  I will post about specific software projects whenever something interesting happens.

I am an avid player of Dungeons and Dragons (version 2) and the Classic Marvel RPG.  (My GM is the very best.)  When it comes to downtime, it’s hard to beat rolling oddly-shaped dice.  Knights of the Dinner Table is the most epic magazine.

Until Stump GNU/Linux works (which is probably quite a long time from now), I primarily use Ubuntu and Debian.  (Naturally, I will be “eating my own dogfood” once it’s feasible.)  My preferred non-free OS is by far Windows Server 2003, and I know both Windows and GNU/Linux quite well (as both a user and an administrator).  (Indeed, I have dabbled in Windows enough to gain a certification or two.)

See you when something interesting pops up