




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam for the mre certified reverse engineer certification. It includes 26 multiple-choice questions covering various topics in reverse engineering, such as x86-64 architecture, pe file structure, windows api usage, anti-debugging techniques, and disassembly tools like ida pro and ghidra. Each question is followed by a detailed explanation of the correct answer, making it a valuable resource for students and professionals preparing for the certification or seeking to enhance their reverse engineering skills. The exam covers essential concepts and tools used in malware analysis and software reverse engineering, offering practical insights into the field. It serves as a useful tool for self-assessment and knowledge reinforcement.
Typology: Exams
1 / 104
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which register in the x86‑64 architecture is conventionally used to pass the first integer argument to a function? A) RAX B) RBX C) RCX D) RDI Answer: D Explanation: In the Microsoft x64 calling convention, the first integer or pointer argument is passed in RDI. Question 2. In a PE file, the “.text” section typically contains: A) Imported function names B) Executable code C) Resource data D) Debug symbols Answer: B Explanation: The .text section stores the program’s executable instructions. Question 3. Which Windows API is most commonly used by malware to create or modify registry keys for persistence? A) CreateFileW
B) RegSetValueExA C) VirtualAllocEx D) SendMessageW Answer: B Explanation: RegSetValueEx (or RegCreateKey) writes values to the registry, a typical persistence method. Question 4. The technique of inserting meaningless instructions to confuse disassemblers is called: A) Packing B) Junk code insertion C) API hooking D) Process hollowing Answer: B Explanation: Junk code (or NOP sleds) adds irrelevant instructions that hinder static analysis. Question 5. Which of the following is a hardware breakpoint type? A) Break on execution of a specific instruction address B) Break when a memory location is read or written C) Break after a specified number of instructions
Explanation: RegMon monitors registry reads/writes; its functionality is now integrated into Process Monitor. Question 8. In IDA Pro, the shortcut “Ctrl‑F” is used to: A) Open the function window B) Search for a string in the binary C) Find a specific instruction address D) Open the “Find Text” dialog for any text Answer: D Explanation: Ctrl‑F opens the generic text search dialog. Question 9. Which of the following is an indicator that a binary is packed with UPX? A) Presence of “UPX0” and “UPX1” sections B) High entropy in the .data section only C) Imports only from kernel32.dll D) A .reloc section larger than 10 KB Answer: A Explanation: UPX creates sections named UPX0, UPX1, etc., to store compressed code.
Question 10. The Windows API function “CheckRemoteDebuggerPresent” is used to: A) Detect if the process is being debugged locally B) Detect if another process is being debugged C) Hide a process from the debugger D) Disable all breakpoints in the process Answer: B Explanation: CheckRemoteDebuggerPresent checks whether a specified process has a debugger attached. Question 11. Which memory region typically stores the stack for a newly created thread in Windows? A) .bss B) .data C) The region pointed to by the ESP/RSP register D) The heap segment Answer: C Explanation: The stack pointer registers (ESP/RSP) point to the current stack area. Question 12. In Ghidra, the “Symbol Tree” view primarily displays: A) All imported functions only
C) Access the system registry D) Modify file permissions Answer: B Explanation: NtQuerySystemInformation with SystemProcessInformation returns details about running processes. Question 15. Which of the following best describes “control‑flow flattening”? A) Converting all jumps to indirect calls through a dispatcher loop B) Encrypting string literals in the binary C) Removing all function boundaries D) Packing the executable with a custom compressor Answer: A Explanation: Flattening replaces structured control flow with a dispatcher that decides the next block, obscuring the original flow. Question 16. A debugger that sets a “software breakpoint” typically does this by: A) Modifying the target’s memory to insert an INT 3 (0xCC) opcode B) Using CPU debug registers C) Pausing the VM hypervisor D) Changing the process priority class
Answer: A Explanation: Software breakpoints replace the target instruction with INT 3, causing a trap when executed. Question 17. Which PE header field indicates the preferred load address of the image? A) SizeOfHeaders B) ImageBase C) SectionAlignment D) FileAlignment Answer: B Explanation: ImageBase specifies the virtual address where the loader prefers to map the image. Question 18. The Windows API “VirtualProtect” is commonly abused by malware to: A) Allocate new threads B) Change memory protection to executable for injected code C) Enumerate network adapters D) Delete files securely Answer: B
Question 21. A “process hollowing” technique involves: A) Replacing the entry point of a legitimate process with malicious code after the process is created B) Injecting shellcode into a paused thread of another process C) Creating a new process and terminating it immediately D) Using a driver to hide a process from the task manager Answer: A Explanation: Process hollowing creates a legitimate process, unmaps its memory, and maps malicious code in its place. Question 22. Which Ghidra feature allows automatic generation of C‑like pseudocode from disassembled functions? A) Decompiler B) Data Type Manager C) Script Manager D) Symbol Table Answer: A Explanation: Ghidra’s Decompiler translates assembly into high‑level pseudocode. Question 23. The Windows API “CreateRemoteThread” is primarily used for: A) Launching a new process on a remote machine
B) Injecting code into another process on the same system C) Establishing a network socket D) Enumerating services on a remote host Answer: B Explanation: CreateRemoteThread creates a thread in the address space of another process, facilitating code injection. Question 24. Which of the following is a reliable method to detect the presence of a debugger using timing checks? A) Measuring the duration of GetTickCount between two points B) Checking the value of the EIP register C) Reading the PEB’s BeingDebugged flag D) Scanning for a debugger’s window title Answer: A Explanation: Debuggers introduce latency; measuring elapsed time with GetTickCount or RDTSC can reveal abnormal delays. Question 25. In the PE format, the “Data Directory” entry for “Resource” points to: A) The .rsrc section containing icons, dialogs, etc. B) The import table of the executable C) The export table of the DLL
Explanation: BeingDebugged is a Boolean flag set by the OS when a debugger is attached. Question 28. Which of the following is an effective way to bypass simple anti‑VM checks that look for known virtual hardware IDs? A) Rename the binary file B) Modify the registry key “HKLM\SYSTEM\CurrentControlSet\Control\SystemInformation” C) Use a sandbox that spoofs hardware identifiers D) Disable Windows Defender Answer: C Explanation: Spoofing hardware IDs in a sandbox prevents malware from detecting known VM signatures. Question 29. In x86‑64, the “RIP‑relative” addressing mode is used to: A) Access memory locations relative to the instruction pointer B) Perform indirect jumps via a register C) Store immediate values larger than 32 bits D) Switch between 32‑bit and 64‑bit mode Answer: A Explanation: RIP‑relative addressing allows position‑independent code to reference data using the current instruction pointer.
Question 30. Which of the following tools is specifically designed for memory forensics on Windows crash dumps? A) Volatility B) Process Monitor C) Wireshark D) OllyDbg Answer: A Explanation: Volatility parses memory images and crash dumps to extract processes, DLLs, and hidden data. Question 31. The “Export Directory” in a PE file contains: A) A list of functions that the executable imports from other modules B) A list of functions that the module makes available to other modules C) The locations of all string literals D) The entry point of the program Answer: B Explanation: Export Directory enumerates functions that the PE exposes for external use. Question 32. Which Windows API call can be used by malware to hide a file by setting its attributes to “hidden” and “system”?
C) It requires administrative rights to install a driver D) It modifies the Master Boot Record (MBR) Answer: B Explanation: File‑less malware avoids writing files, often leveraging in‑memory execution and scripting. Question 35. The Windows API “NtUnmapViewOfSection” is commonly used in which technique? A) Process hollowing B) DLL injection via LoadLibrary C) Creating a new thread D) Enumerating services Answer: A Explanation: NtUnmapViewOfSection removes the original code section of a process, a step in process hollowing. Question 36. Which of the following best describes the purpose of a “Control Flow Graph” (CFG) in static analysis? A) To list all imported DLLs B) To visualize possible execution paths between basic blocks C) To display raw hexadecimal data D) To enumerate registry keys accessed by the binary
Answer: B Explanation: A CFG shows how basic blocks are connected, helping analysts understand program logic. Question 37. When analyzing a binary with IDA Pro, the “F5” key is used to: A) Open the function window B) Switch to the graph view of a function C) Rename a symbol D) Start a debugging session Answer: B Explanation: F5 toggles the graph view, which displays the control flow of the selected function. Question 38. Which of the following is an example of a “network indicator of compromise” (IOC) for malware? A) A specific registry key path B) A unique process name C) A hard‑coded C2 IP address or domain D) A particular file hash Answer: C Explanation: Network IOCs include IP addresses, domains, or URLs used for command‑and‑control communication.
A) Measure the randomness of a section’s data, indicating compression or encryption B) Determine the number of exported functions C) Calculate the size of the import table D) Identify the type of CPU architecture Answer: A Explanation: High entropy suggests that data is compressed or encrypted, typical of packed sections. Question 42. Which of the following techniques is most effective against “inline hook” detection by anti‑debuggers? A) Using a kernel‑mode driver to hide breakpoints B) Modifying the original function prologue after the hook is placed C) Setting a hardware breakpoint on the hook routine D) Disabling all system breakpoints via the registry Answer: B Explanation: Restoring the original prologue after the hook reduces the chance of detection. Question 43. The Windows API “SetUnhandledExceptionFilter” can be abused to: A) Hide a process from Task Manager
B) Implement a custom crash handler that executes malicious code C) Enumerate all open network sockets D) Change file permissions on protected files Answer: B Explanation: By installing a custom exception filter, malware can execute code when an exception occurs. Question 44. Which of the following statements about “DLL side‑loading” is true? A) It requires modifying the system registry to point to a malicious DLL B) It exploits the way Windows searches for DLLs in the application directory before system directories C) It only works on 64‑bit processes D) It is detected by checking the file’s digital signature Answer: B Explanation: Side‑loading places a malicious DLL with the same name as a legitimate one in the same folder as the executable. Question 45. In a typical sandbox environment, which of the following artifacts would indicate that the malware has detected the sandbox? A) Creation of a file named “sandbox_detected.txt” B) Immediate termination after checking for known virtualization drivers