U-4

Question: How can attackers perform Code Injection into a target process and steal sensitive
data?

• Option A: By optimizing code execution speed

• Option B: By manipulating data on the program heap to reuse or reference freed
memory
• Option C: By compressing the injected code
• Option D: By exploiting vulnerabilities to inject code into the address space of a
running process (Correct)

Question: What is the role of obfuscation in code injection attacks?

• Option A: To enhance code readability

• Option B: To prevent buffer overflows
• Option C: To manipulate data on the program heap
• Option D: To disguise injected code, making it more challenging to detect and
analyze (Correct)

Question: Which process component focuses on identifying the unique characteristics or

patterns of a malware sample?

• Option A: Code obfuscation

• Option B: Heuristic analysis (Correct)
• Option C: Signature matching
• Option D: Rootkit detection

Question: Which component of malware analysis involves examining the code to identify
obfuscated or encrypted portions?

• Option A: Behavioral analysis

• Option B: Code disassembly (Correct)
• Option C: Code obfuscation detection
• Option D: Rootkit analysis

Question: Which of the following is a sign that malware is using virtual memory to hide its
presence?

o Option A: Unusual page fault rates

o Option B: Unexpected changes in page table entries
o Option C: Altered virtual memory permissions
o Option D: All of the above (Correct)

Question: What is a common technique malware uses to manipulate virtual memory?

o Option A: API hooking (Correct)

o Option B: Buffer overflow
 o Option C: process injection
o Option D: Rootkit installation

Question: In persistence memory management, what does the acronym "RAID" typically
refer to in terms of cybersecurity?

• Option A: Random Access Indexed Data

• Option B: Redundant Array of Independent Disks (Correct)
• Option C: Reliable Application Integration Design
• Option D: Resource Allocation and Identification Directive

Question: Which of the following techniques is commonly employed by malware to achieve

persistence on an infected system?

• Option A: Random file renaming

• Option B: Clearing browser cache
• Option C: Using startup scripts (Correct)
• Option D: Uninstalling system updates

Question: What is malware persistence and its potential?

• Option A: A technique used to ensure that malware remains active on a target system
even after a reboot. (Correct)
• Option B: A method used to hide malware from antivirus software
• Option C: A way to distribute malware through email attachments
• Option D: Creating a hidden user account

Question: Which of the following is a method of achieving malware persistence on a

Windows-based system?

• Option A: Modifying the Windows registry to execute a malicious payload at startup

• Option B: Infecting a legitimate system file to ensure the malware is loaded during
system startup
• Option C: Creating a scheduled task to execute a malicious payload at specific
intervals
• Option D: All of the above (Correct)

Question: Which of the following is a common virtual memory analysis technique used in
malware analysis?

o Option A: Code Obfuscation

o Option B: Dynamic analysis (Correct)
o Option C: Heap spraying
o Option D: Reverse engineering
Question: How can virtual memory affect malware analysis?

o Option A: It makes malware execution slower, aiding in detection and analysis

o Option B: It provides additional memory space for malware to execute without
detection (Correct)
o Option C: It enables malware to evade detection by disguising its presence in
memory
o Option D: It restricts malware's ability to access system resources, limiting its
capability

Question: Which of the following is not a root or hive key in the Windows Registry?

o Option A: HKEY_CURRENT_USER
o Option B: HKEY_LOCAL_MACHINE
o Option C: HKEY_CLASSES_ROOT
o Option D: HKEY_CURRENT_CONFIG (Correct)

Question: Which command is used to edit the Windows Registry?

o Option A: regedit (Correct)

o Option B: edit
o Option C: reg
o Option D: config

Question: In which module does the hook procedure specified in SetWindowsHookEx need
to be located?

o Option A: Kernel32.dll (Correct)

o Option B: User32.dll
o Option C: Hook32.dll (This DLL doesn't exist by default in Windows)
o Option D: Custom.dll (This can be a custom DLL you create)

Question: What is the primary purpose of using SetWindowsHookEx in Windows

programming?

o Option A: To intercept and monitor system events (Correct)

o Option B: To create new windows
o Option C: To delete existing windows
o Option D: To modify system settings

Question: What are the techniques that are used in DLL injection using
SetWindowsHookEx?

o Option A: Create a DLL

o Option B: Choose a Hook Type
o Option C: Hook procedure
o Option D: All of the above (Correct)
Question: What are the functions used in the target process to create the remote thread in
SetWindowsHookEx()?

o Option A: CreateRemoteThread() (Correct)

o Option B: SetWindowsHookEx() (This function is used to set the hook, not
create a thread)
o Option C: NtCreateThreadEx() (This is an internal Windows API function that
can be risky to use)
o Option D: A and B (Only CreateRemoteThread is needed)

Question: What happens if the hal.dll file is missing or corrupted on a Windows system?

o Option A: The system may become unstable and crash frequently.

o Option B: The system may not be able to boot up. (Correct)
o Option C: The system may experience network connectivity issues.
o Option D: The system may experience issues with the file system.

Question: What is the role of the hal.dll file in Windows operating systems?

o Option A: It is responsible for managing the file system.

o Option B: It provides the hardware abstraction layer for device drivers.
(Correct)
o Option C: It is the core component of the Windows Registry.
o Option D: It is responsible for managing network connections.

Question: Which of the following best describes IAT hooking?

• Option A: Intercepting and modifying function calls within a program by

manipulating its Import Address Table (IAT) (Correct)
• Option B: Intercepting and modifying network traffic using Inverse Address
Translation
• Option C: Intercepting and modifying system calls using Inherited Address Tables
(IAT is not inherited)
• Option D: Intercepting and modifying hardware interrupts through Interface Address
Translation

Question: Which of the following is a potential application of IAT hooking?

o Option A: Preventing software piracy

o Option B: Bypassing security measures in software (Correct)
o Option C: Optimizing memory management in applications
o Option D: Improving network performance

Question: Which of the following memory regions in user space is MOST targeted by
malware exploiting heap vulnerabilities?

o Option A: Code Segment

o Option B: Stack
 o Option C: Heap (Correct)
o Option D: Global Data Segment

Question: A technique where malware floods the heap with data to increase the chance of
landing shellcode at a predictable location is called:

• Option A: Address Space Layout Randomization (ASLR) (This is a security

mitigation technique, not an exploit)
• Option B: Heap Fortification (This is a security measure, not an exploit)
• Option C: Heap Spraying **(Correct)
• Option D:Privilege Escalation

Question: What is the main purpose of hooking an API in the context of injecting code into a
target process?

• Option A: To directly execute malicious code within the target process (This might be
achieved through hooking, but it's not the sole purpose)
• Option B: To block calls made to the API by legitimate applications
• Option C: To modify the API function itself (Possible, but not the primary goal in this
context)
• Option D: To control the execution path of the program and redirect it to malicious
code (Correct)

Question: What component of a process's memory is typically modified when hooking an

API?

• Option A: EAT (Export Address Table) (This table resides in the DLL, not the target
process)
• Option B: IAT (Import Address Table) (Correct)
• Option C: Page Table (This table is used for memory management, not directly
related to hooking)
• Option D: Stack (This is another memory region, but not typically modified for
hooking)

Question: What is a keylogger?

• Option A: A type of malware that records keystrokes on a computer (Correct)

• Option B: An encryption method used to secure data transmission
• Option C: A hardware device used to log keystrokes on a keyboard
• Option D: A software tool used for analyzing API calls

Question: How can APIs be used in malware analysis?

• Option A: To create custom tools for analyzing malware behavior

• Option B: To bypass antivirus detection by using legitimate API calls
• Option C: To intercept and log network traffic for analysis
• Option D: All of the above (Correct)

Question: What is the primary purpose of the Process Memory Component (in user space) in
malware analysis?
 • Option A: To analyze network traffic generated by the malware
• Option B: To examine and analyze the memory of running processes on the system
(Correct)
• Option C: To analyze the file system for malicious files
• Option D: To monitor system logs for suspicious activities

Question: Which of the following techniques is commonly used in the Process Memory
Component for malware analysis?

• Option A: Code obfuscation (This is a technique used by malware authors, not for
analysis)
• Option B: Memory dumping (Correct)
• Option C: Firewall configuration (This is not a memory analysis technique)
• Option D: Disk encryption (This is not used for memory analysis)

Question: What is the target of APC injection?

• Option A: process (Not specific enough)

• Option B: Memory (Not the direct target)
• Option C: API (Not the intended target in this context)
• Option D: Thread (Correct)

Question: Which API was invoked to create a thread in the target process?

• Option A: createthread() (This can be used, but not the most relevant in this context)
• Option B: CreateRemoteThread() (Correct) (This is specifically used for creating a
thread in another process)
• Option C: thread() (This is not a standard Windows API function)
• Option D: createremote() (This is not a valid Windows API function)

Question: A process having multiple threads of control implies:

• Option A: It can do more than one task at a time (Correct)

• Option B: It can do only one task at a time, but much faster
• Option C: It has to use only one thread per process
• Option D: None of the mentioned

Question: What is a potential defense mechanism against DLL injection?

• Option A: Code obfuscation (This makes it harder to analyze the code, but doesn't
directly prevent injection)
• Option B: Digital signatures on DLLs (This helps ensure the DLL comes from a
trusted source)
• Option C: Sandboxing the target process (This isolates the process and limits its
ability to interact with the system)
• Option D: All of the above (Correct)
Question: Which Windows API function is commonly used for DLL injection?

• Option A: LoadLibrary (Correct)

• Option B: CreateProcess (This can be used for process creation, not directly for DLL
injection)
• VirtualAlloc
• SendMessage

Question: Which of the following is not a commonly used keylogger API?

• Option A: GetAsyncKeyState (Correct) (This retrieves the state of a key, not

necessarily keystrokes)
• Option B: SetWindowsHookEx
• Option C: RegisterHotKey
• Option D: SendMessage

Question: What does the SetWindowsHookEx function allow keyloggers to do?

• Option A: Retrieve the state of a specified virtual key

• Option B: Register a hotkey combination
• Option C: Register a callback function for key events system-wide (Correct)
• Option D: Send a message to a window or windows

Question: Which of the following statements is TRUE about inline hooking in

malware?

o Option A: It modifies the code of a legitimate function at

runtime. (Correct)
o Option B: It relies on swapping function pointers in the Import Address
Table (IAT). (This is IAT hooking, different technique)
o Option C: It cannot be detected by modern anti-virus software. (Not
necessarily true, AV can detect suspicious code)
o Option D: It is a more complex technique compared to IAT hooking. (
debatable, both have complexities)

Question: How does inline hooking typically alter the target function?

o Option A: By appending additional code to the end of the function.

o Option B: By rewriting the entire function with malicious code.
o Option C: By overwriting the first few bytes with a jump instruction to
redirect execution. (Correct)
o Option D: By modifying the function's parameters and return values in
memory.
Question: What is the name of the API used by the downloader to download the
malicious file?

o Option A: URLDownloadToFile() (Correct)

o Option B: ShellExecute() (Can be used for execution)
o Option C: WinExec() (Can be used for execution)
o Option D: CreateProcess() (Can be used for creating new processes)

Question: What is the function of URLDownloadToFile() API?

o Option A: Downloads the malware file (Correct)

o Option B: Executes the malware file (This requires additional steps)
o Option C: None of the above
o Option D: Both A & B (Downloading doesn't necessarily mean
execution)

Question: What component of a computer system manages the execution of

programs and provides resources necessary for those programs to run?

o Option A: Kernel (Correct)

o Option B: RAM (RAM stores data, not manages execution)
o Option C: Hard Disk (Stores data, not manages execution)
o Option D: CPU (Executes instructions, but needs kernel for resource
management)

Question: In malware analysis, what does the term "sandboxing" refer to?

o Option A: Analyzing malware in a controlled environment (Correct)

o Option B: Reverse engineering malware code (Can be a part of
analysis, but not the sole purpose of sandboxing)
o Option C: Classifying malware based on behavior (Can be done in
sandbox, but not the main purpose)
o Option D: Creating malware signatures (Sandboxing is used for
analysis, signatures are created based on analysis)

Question: What is the primary purpose of virtual memory in computer systems?

o Option A: To increase the size of physical RAM (Not the primary

purpose)
o Option B: To provide a larger address space than physical
memory (Correct)
o Option C: To speed up the processing of data (Can be a secondary
benefit)
o Option D: To reduce the need for secondary storage devices (Not the
main function)

Question: Which of the following techniques is commonly used for implementing

virtual memory?
 o Option A: Direct memory access (DMA) (Not directly related to virtual
memory)
o Option B: Segmentation (An older memory management technique, not
common in modern systems)
o Option C: Interrupt handling (Important for system operation, but not
the core of virtual memory)
o Option D: Paging (Correct) (This is the dominant technique used for
virtual memory)

Question: A malware process hides itself by injecting code into a legitimate system
process. What is this technique called?

o Option A: Process hollowing (Correct)

o Option B: Rootkit injection (Rootkits can hide processes, but process
hollowing injects code)
o Option C: DLL injection (Injects a DLL, not directly code into a process)
o Option D: Polymorphism (Changes the malware's code itself, not
injection)

Question: What type of malware manipulates the master boot record (MBR) to
execute before the operating system loads?

o Option A: Boot sector virus (Correct)

o Option B: Logic bomb (Triggers based on conditions, not MBR
manipulation)
o Option C: Ransomware (Encrypts files, doesn't target MBR)
o Option D: Keylogger (Records keystrokes, not MBR manipulation)

Question: What is the primary purpose of window hooking malware?

o Option A: To enhance the visual appearance of Windows interface (Not

the intended function)
o Option B: To intercept system events and manipulate user
input (Correct)
o Option C: To increase system security by monitoring background
processes (Can be a secondary effect, but not the main goal)
o Option D: To optimize system performance by managing memory
allocation (Not the primary function)

Question: Which of the following statements best describes how window hooking
malware operates?

o Option A: It installs additional windows on the desktop for multitasking

(Not the functionality)
o Option B: It modifies system files to change the appearance of
windows (Possible side effect, but not the core operation)
o Option C: It intercepts system messages to monitor or alter user input
and behavior. (Correct)
o Option D: It creates shortcuts to frequently used applications on the
desktop (Not the functionality)
Question: Which technique is NOT associated with Hollow Hooking?

o Option A: Process injection (Process injection is used to deliver the

payload for hollowing)
o Option B: Process Hollowing (This is the technique itself)
o Option C: DLL injection (Can be a technique used for hollowing)
o Option D: Network Packet analysis (Correct) (Not directly related to
process hollowing)

Question: What is the primary purpose of hollow hooking?

o Option A: To modify the behavior of an existing application (Correct)

o Option B: To create a new process from scratch (Not the function of
hollowing)
o Option C: To inject malicious code into a process (Can be the purpose,
but hollowing specifically targets a process's memory)
o Option D: Both a and c (Correct) (Both modifying behavior and
injecting code are goals)

Question: Which of the following is not a common functionality of malware?

o Option A: Anti Virus protection (Correct) (Antivirus is designed to

protect against malware, not be a malware function)
o Option B: Keylogging
o Option C: Denial of Service
o Option D: Worm

Question: Which of the following malware functionalities replicates itself to spread to

other devices?

o Option A: Worm (Correct)

o Option B: Python (Python is a programming language, not a specific
malware type)
o Option C: Rootkit (Rootkits focus on stealth, not self-replication)
o Option D: Trojan (Trojans are used to deceive users, not self-replicate)

Question: When the legitimate application's thread encounters the call to

__DeleteFileA(), what function will it likely call to perform the actual file deletion?

o Option A: CleanFileA() (This doesn't sound like a standard function for

deletion)
o Option B: CopyFileA() (This is for copying files, not deleting)
o Option C: MoveFileA() (This is for moving files, not deleting)
o Option D: DeleteFileA() (Correct) (This is the standard Windows API
function for deleting files)
Question: In the Kernel I/O Subsystem, a _____ is a buffer that holds jobs for a
device until it is ready to take them.

o Option A: Buffering (Correct)

o Option B: Caching (Caching stores frequently accessed data, not job
queues)
o Option C: Spooling (This is a term used for buffering print jobs)
o Option D: Scheduling (Scheduling is a broader concept, spooling is a
specific type of buffer)

Question: The hardware allows privileged instructions to be executed only in ___

mode.

o Option A: Kernel (Correct)

o Option B: User (User mode is for unprivileged applications)
o Option C: Virtual (Virtual mode is a memory management concept, not
a privilege level)
o Option D: I/O mode (I/O mode is related to device communication, not
privilege levels)

Question: Which of the following is a technique used to intercept and manipulate

function calls in a target process on a 32-bit Windows system?

o Option A: IAT hooking (This is the correct answer)

o Option B: EAT hooking (EAT hooking is not relevant for 32-bit
Windows)
o Option C: SSDT hooking (SSDT hooking is less common than IAT
hooking)
o Option D: API hooking (API hooking is a general term, IAT hooking is a
specific technique)

Question: Which of the following is a technique used to intercept and manipulate

function calls in a target process?

o Option A: API hooking (This is a general term that encompasses

various techniques)
o Option B: EAT hooking (This is a technique used on specific systems)
o Option C: SSDT hooking (This is another technique for function call
manipulation)
o Option D: Code Injection (Code injection can be used for various
purposes, including API hooking)

Question: In the Linux operating system, when the clone() function is invoked, it is
passed a set of flags that determine how much sharing is to take place between the
parent and child task. What are the other similar functions that can be used for
creating child processes?

o Option A: fork() (This is another common function for creating child

processes)
 o Option B: pthread() (This is used for creating threads, not separate
processes)
o Option C: thread() (This is not a standard system call for creating
processes or threads)
o Option D: All of the above (Both fork() and clone() can create child
processes)

Question: An attacker can achieve persistence for their malicious DLL by setting the
____ value in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

o Option A: (Correct) (This registry key specifies DLLs to load at startup)

o Option B: ResN32.dll (This is not a relevant value for persistence)
o Option C: userint.exe (This is an executable file, not a registry value)

Question: DLLs are loaded into the process memory by calling the _____ API?

o Option A: LoadLibrary() (Correct) (This is the standard Windows API

for loading DLLs)
o Option B: CreateRemoteThread() (This is for creating threads, not
loading DLLs)
o Option C: QueueUserAPC() (This is for asynchronous procedure
calls, not DLL loading)
o Option D: OpenProcess() (This is for opening processes, not
specifically DLL loading)

Question: How does COM hijacking allow malware to persist?

o Option A: By encrypting system files (Not the functionality of COM

hijacking)
o Option B: By disabling antivirus software (Possible side effect, but not
the main purpose)
o Option C: By deleting system registry key (Not the intended outcome)
o Option D: By associating a legitimate COM object with a malicious
DLL (Correct) (Malware replaces the legitimate DLL with its own)

Question: What is the purpose of COM hijacking?

o Option A: Modify registry entries (This is how COM hijacking achieves

persistence)
o Option B: Improve network security (Not the intended functionality)
o Option C: Enhance system performance (Not the intended
functionality)
o Option D: Manage file permissions (Not directly related to COM
hijacking)