The questions I would pose for you to ask yourself is:

What type of tools are you wanting to write?
What architecture are you most familiar with?

If you are strong in one area than make this your focus and excel at it. I stick generally with Windows Programming even if sometimes I feel it would be easier on the *nix side, this is simply because I know the Windows architecture better.

What would worry me the most in this situation, is the attacker talked about private information. I Would be worried about that, what do they consider private information. What did your client have on his computer that maybe would be more private than say login credential. Does your client hold any private personal records, that is what I would be worried about. Then unfortunately it is a lot scarier.

the_gamer,

I too went at this contest in the same fashion. When I approached this I went at it with the view that if I wanted netcat on web1 that I would need to put it on there myself. I thought it was only in my arsenal, but getting it on the box was up to me. This is why I chose ssh over netcat, since it would already be provided.

-Paul

Congrats guys, very impressive profiles!! Hope you enjoy your trip to BHDC.

Dean,

Thanks for the post. WinZapper didn't help much because it won't run on XP/2k3 Server. I checked in Olly to see what it is doing, it does an OS check right off the bat and exits. I am not great in the reversing world and figured a lot has changed on the API from NT4 and 2K so I didn't want to mess with it.

Windows has the event log locked down to where if the service is stopped your system restarts.

Thanks for the post, anyone else have any ideas

-Paul

I am currently trying to do cleanup within a vbscript. I am trying to clean up the event log. I want to erase only a few select entries within the log. now using WMI this accesses a lot of calls available from the Win API. I have found that by no suprise windows has locked out this ability. I have tried finding out the current size of the log, resetting the max to this size then tell the log to delete entries only if they are over 2 years old. Now even when I do this logging still happens. The only calls I can make or settings adjusted are

Call BackupEventLog   (useless)
Call ClearEventLog     (useless... overkill)

Set MaxFileSize
Set OverwriteOutDated

tried messing with the sets but didn't work out afterall, I could set them, but it kept on logging.

Does anyone have some insight on tools or methods for event log cleanup.

Thanks!!

Thanks for your awesome paper. I have been interested in learning more on RCE and have been held up by the fact that no one writes to the true entry level person. Your overview of registers was very well wrote.

I ran through the Hello World examples and had slight differences. I understand each disassembler will spit something different, I am wondering if you can tell me what is going on though. I m using gdb 6.6-debian.

Dump of assembler code for function main:
0x080483a0 <main+0>:    lea    0x4(%esp),%ecx
0x080483a4 <main+4>:    and    $0xfffffff0,%esp
0x080483a7 <main+7>:    pushl  0xfffffffc(%ecx)
0x080483aa <main+10>:   push   %ebp
0x080483ab <main+11>:   mov    %esp,%ebp
0x080483ad <main+13>:   push   %ecx
0x080483ae <main+14>:   sub    $0x4,%esp
0x080483b1 <main+17>:   movl   $0x1,0x80495cc
0x080483bb <main+27>:   call   0x8048374 <myprint>
0x080483c0 <main+32>:   mov    $0x0,%eax
0x080483c5 <main+37>:   add    $0x4,%esp
0x080483c8 <main+40>:   pop    %ecx
0x080483c9 <main+41>:   pop    %ebp
0x080483ca <main+42>:   lea    0xfffffffc(%ecx),%esp
0x080483cd <main+45>:   ret   
End of assembler dump.

The first three lines are where I am confused. I read about load effective address, but I don't know what it is loading.

Also in myprint(), I am using:

0x0804838b <myprint+23>:        call   0x80482bc <puts@plt>

I understand this is the print statement although do you have any input on puts vs print?

Thanks for the awesome paper, when is part two coming out?