

























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam validates expertise in reverse engineering software and binaries. Topics include assembly analysis, debugging, static and dynamic analysis, unpacking, and behavior reconstruction. Candidates are tested on their ability to analyze unknown or malicious software at a technical level.
Typology: Exams
1 / 97
This page cannot be seen from the preview
Don't miss anything!


























































































Question 1. Which PE header field specifies the address of the entry point relative to the image base? A) SizeOfHeaders B) AddressOfEntryPoint C) ImageBase D) SectionAlignment Answer: B Explanation: The AddressOfEntryPoint field in the Optional Header holds the RVA of the program’s entry point relative to the ImageBase. Question 2. In a 64‑bit PE file, which data directory entry contains the import table? A) Export Table B) Import Table C) Resource Table D) TLS Table Answer: B Explanation: The second entry in the DataDirectory array is the Import Table, which points to the Import Directory. Question 3. Which of the following sections typically holds embedded icons in a Windows executable? A) .text B) .data C) .rsrc D) .reloc Answer: C
Explanation: The .rsrc (resource) section stores icons, dialogs, version info, and other resources. Question 4. When analyzing strings, which regular expression would correctly match an IPv4 address? A) \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} B) [0-9]{4}\.[0-9]{4}\.[0-9]{4}\.[0-9]{4} C) \w+\.\w+\.\w+\.\w+ D) \bIP:\s*\d+\.\d+\.\d+\.\d+\b Answer: A Explanation: \d{1,3} matches 1‑3 digits, repeated four times with dots, which is the standard pattern for IPv4. Question 5. In x86‑64, which register holds the return address after a CALL instruction? A) RAX B) RBX C) RSP D) RIP Answer: D Explanation: The RIP (Instruction Pointer) automatically points to the next instruction, which after a CALL is the return address. Question 6. Which flag is cleared when a subtraction results in a borrow (i.e., the result is less than zero) in x86? A) ZF B) SF C) CF
Answer: C Explanation: JNZ (Jump if Not Zero) branches when the Zero Flag (ZF) is cleared. Question 10. What does the CFG node representing a “switch” statement typically consist of in disassembly? A) A series of unconditional jumps B) A jump table accessed via an indexed indirect jump C) Nested CALL instructions D) A single RET instruction Answer: B Explanation: Compilers generate a jump table and use an indirect jump (e.g., jmp [table + eax*4]) to implement a switch. Question 11. Which Windows API is used by malware to check if it is being debugged? A) GetProcessId B) IsDebuggerPresent C) CreateFileA D) VirtualAllocEx Answer: B Explanation: IsDebuggerPresent returns a non‑zero value when the calling process is being debugged. Question 12. Which instruction sequence is a classic anti‑debugging trick that uses the int 2Dh interrupt?
A) int 3 B) int 2Dh C) int 80h D) int 0 Answer: B Explanation: int 2Dh is undocumented and can be used to detect debuggers that hook this interrupt. Question 13. In WinDbg, which command displays the current call stack? A) dt B) kv C) k D) lm Answer: C Explanation: The k command (or variants like kv) shows the stack trace of the current thread. Question 14. Which memory region is most likely to contain unpacked code after a custom packer runs? A) .bss B) .rdata C) Heap allocation returned by VirtualAlloc D) .text (original) Answer: C Explanation: Packers often allocate executable memory on the heap (via VirtualAlloc) and write the decrypted code there.
Explanation: At runtime, the IAT entry is overwritten with the absolute address of the imported function. Question 18. Which PE characteristic bit indicates that the image can be run on a 64‑bit OS? A) IMAGE_FILE_DLL B) IMAGE_FILE_EXECUTABLE_IMAGE C) IMAGE_FILE_LARGE_ADDRESS_AWARE D) IMAGE_FILE_MACHINE_AMD Answer: D Explanation: IMAGE_FILE_MACHINE_AMD64 (0x8664) specifies the file is built for x architecture. Question 19. Which of the following is a typical persistence mechanism used by Windows malware? A) Creating a temporary file in %TEMP% B) Adding a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run C) Opening a socket to a remote server D) Using SetThreadPriority Answer: B Explanation: Adding a value to the Run registry key causes the malware to launch on user logon. Question 20. Which API is commonly used by malware to create a scheduled task for persistence? A) CreateProcessA B) CreateServiceA C) ITaskScheduler::CreateTask
D) RegCreateKeyEx Answer: C Explanation: The ITaskScheduler COM interface (or its newer counterpart) is used to create scheduled tasks. Question 21. What does the RDTSC instruction measure that can be used for anti‑debug timing checks? A) Number of cache misses B) CPU core temperature C) Time‑Stamp Counter (CPU cycles) D) Number of page faults Answer: C Explanation: RDTSC reads the processor’s Time‑Stamp Counter, which can be compared to expected values to detect delays introduced by debuggers. Question 22. Which virtual machine artifact is frequently checked by malware to detect a sandbox? A) Presence of the file C:\windows\system32\drivers\VBoxMouse.sys B) Existence of the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run C) Number of logical processors D) System uptime greater than 5 minutes Answer: A Explanation: VirtualBox installs drivers like VBoxMouse.sys; malware can check for these to infer a VM environment. Question 23. Which of the following is a reliable indicator that a binary has been packed with UPX? A) Section name “UPX0”
Question 26. Which of the following is NOT a typical characteristic of a “junk” instruction used for obfuscation? A) NOP (0x90) B) add eax, 0 C) jmp 0x0 D) xor eax, eax followed by a dead store Answer: C Explanation: jmp 0x0 would cause an infinite loop; junk instructions are usually harmless, like NOPs or dead arithmetic. Question 27. Which Windows API can be used by malware to hide its window from the taskbar? A) ShowWindow B) SetWindowLongPtr with GWL_EXSTYLE and WS_EX_TOOLWINDOW C) DeleteFile D) SetFileAttributes Answer: B Explanation: Setting the WS_EX_TOOLWINDOW extended style removes the window from the taskbar. Question 28. In a PE file, which directory entry provides information needed for exception handling on x64? A) Load Config Table B) Exception Table C) Base Relocation Table D) Debug Directory Answer: B
Explanation: The Exception Table (also known as the unwind information) is required for stack unwinding on x64. Question 29. Which WinAPI function can be used to enumerate all loaded modules of the current process? A) GetModuleHandleA B) EnumProcessModules C) LoadLibraryA D) VirtualQueryEx Answer: B Explanation: EnumProcessModules returns handles to all modules loaded in the target process. Question 30. Which of the following is a common technique for encrypting strings in a malware sample? A) Base64 encoding only B) XOR with a static key stored in the .rdata section C) Storing strings in clear text inside .text D) Using Unicode literals without any transformation Answer: B Explanation: XORing strings with a static key that is later decoded at runtime is a prevalent lightweight obfuscation method. Question 31. When using x64dbg, which shortcut key opens the “Memory Map” view? A) Ctrl+M B) Alt+M C) F
C) HKLM\Software\Microsoft\Windows\CurrentVersion\Run D) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Answer: C Explanation: HKLM\…\Run runs for all users, including the system account, making it a frequent persistence point. Question 35. Which command-line tool can be used to view the export table of a PE file? A) dumpbin /exports B) netstat C) ipconfig D) sigcheck Answer: A Explanation: dumpbin /exports (from Visual Studio) lists the exported functions of a PE file. Question 36. Which of the following is the most reliable way to locate the Original Entry Point (OEP) of a packed binary? A) Search for the string “OEP” in the file B) Set a breakpoint on VirtualAlloc and trace subsequent execution C) Look for the first jmp instruction in the .text section D) Examine the PE header’s AddressOfEntryPoint field directly Answer: B Explanation: Packers often allocate memory with VirtualAlloc and then jump to the decrypted code; breaking on this call helps locate the OEP. Question 37. Which of the following is a typical symptom of a “heap spray” technique used by exploit‑delivery malware? A) Large number of threads created
B) Excessive allocation of memory blocks containing NOP sleds C] Frequent writes to the registry D] Creation of multiple scheduled tasks Answer: B Explanation: Heap spraying allocates many blocks filled with NOP sleds or shellcode to increase exploit reliability. Question 38. Which Windows API can be used to retrieve the current process’s command line arguments without calling GetCommandLine? A) NtQueryInformationProcess B) GetEnvironmentVariable C) RtlGetCurrentPeb D) GetCurrentProcessId Answer: C Explanation: RtlGetCurrentPeb (via ntdll) provides a pointer to the Process Environment Block, which contains the command line. Question 39. Which of the following is a common method for malware to hide its network traffic from simple packet captures? A) Using UDP instead of TCP B) Encrypting payloads with custom symmetric keys C) Sending data over port 80 only D) Using IPv6 exclusively Answer: B Explanation: Encrypting C2 communications makes it difficult for tools like Wireshark to interpret the data.
Explanation: IDA Pro can display a CFG in its Graph view, showing basic blocks and branches. Question 43. Which instruction is typically used to align the stack pointer before calling a function that expects 16‑byte alignment on x64? A) sub rsp, 0x B) add rsp, 0x C) and rsp, 0xFFFFFFFFFFFFFFF D) push rbp Answer: C Explanation: and rsp, 0xFFFFFFFFFFFFFFF0 clears the low 4 bits, aligning the stack to a 16 ‑byte boundary. Question 44. Which of the following is a legitimate reason for a malware sample to use the CreateMutex API? A) To encrypt files on disk B) To ensure only a single instance runs at a time C) To communicate with a remote C2 server D) To bypass DEP (Data Execution Prevention) Answer: B Explanation: CreateMutex can be used to enforce a single‑instance policy, a common technique among malware. Question 45. Which of the following PE sections is most likely to contain the relocation table? A) .reloc B) .data C) .rsrc
D) .text Answer: A Explanation: The .reloc section holds base‑relocation entries used when the image is loaded at a non‑preferred address. Question 46. Which of the following is a characteristic of a “code cave” in a PE file? A) A section with zero entropy B) Unused space within an existing section that can hold additional code C) A dedicated .cav section created by the compiler D) The entry point of the executable Answer: B Explanation: A code cave is unused bytes (often zeroes) inside a section where extra instructions can be injected. Question 47. Which Windows API can be used to retrieve the list of active network adapters, often checked by anti‑VM code? A) GetAdaptersInfo B) GetComputerNameA C) GetSystemMetrics D) GetUserNameA Answer: A Explanation: GetAdaptersInfo returns network adapter details such as MAC addresses, which malware may inspect. Question 48. In a packed PE, which of the following is the most common indicator of a stub that restores the original imports? A) Calls to LoadLibraryA followed by GetProcAddress in a tight loop
Question 51. Which of the following commands in WinDbg will display the current value of the EIP/RIP register? A) r eip B) ebp C) dd esp D) lm Answer: A Explanation: The r command followed by a register name (e.g., r eip or r rip) shows its current value. Question 52. Which of the following is the most common way for malware to achieve persistence via WMI event consumers? A) Creating a new WMI class that runs a script on startup B) Modifying the Windows Firewall rules C) Adding a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run D) Using the schtasks command Answer: A Explanation: Malware can register a WMI Event Consumer that executes a script or command when a specific event occurs. Question 53. Which of the following is a typical sign that a binary is using the “Import Address Table hooking” technique? A) The IAT entries point to addresses inside ntdll.dll. B) The IAT entries contain addresses in the .text section that are not exported functions. C) The binary has no import table. D) The PE header’s NumberOfRvaAndSizes field is zero. Answer: B
Explanation: Hooking replaces IAT entries with pointers to malicious code located in the binary’s own sections. Question 54. Which of the following is a legitimate purpose for using the VirtualProtect API in malware? A) To change the file’s creation timestamp B) To modify memory protection so that injected shellcode can be executed C) To disable the Windows Event Log service D) To encrypt the registry hive Answer: B Explanation: VirtualProtect can set a region’s protection to PAGE_EXECUTE_READWRITE, enabling execution of injected code. Question 55. Which of the following PE optional header fields indicates whether the image supports ASLR? A) DllCharacteristics – IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE B) SizeOfImage C) MajorSubsystemVersion D) BaseOfCode Answer: A Explanation: The IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag signals that the image is ASLR‑compatible. Question 56. Which of the following is the most common way for a malware sample to hide its strings from static analysis tools? A) Storing them in the .rsrc section as plain text B) Encrypting them with a custom algorithm and decrypting at runtime C) Using Unicode encoding without any transformation