























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This certification validates advanced exploit development capabilities focused on modern Windows environments. The exam covers vulnerability research, reverse engineering, shellcode development, bypassing mitigations such as DEP and ASLR, and exploit reliability. Candidates are assessed on their ability to build custom exploits and demonstrate deep technical mastery of low-level system behavior.
Typology: Exams
1 / 95
This page cannot be seen from the preview
Don't miss anything!
























































































Question 1. Which WinDbg command displays the current stack trace with function arguments? A) kb B) !address C) .exr D) .process Answer: A Explanation: The kb command prints a stack backtrace with parameters for each frame, useful for understanding call flow. Question 2. In x86 protected mode, which register holds the address of the next instruction to be executed? A) EAX B) ESP C) EBP D) EIP Answer: D Explanation: EIP (Instruction Pointer) always points to the next instruction to fetch and decode. Question 3. What is the purpose of the pseudo‑register @esp in WinDbg? A) Shows the value of the stack pointer for the current thread B) Displays the current environment block C) Lists all loaded modules D) Shows the value of the exception code Answer: A
Explanation: @esp is a WinDbg pseudo‑register that reflects the current thread’s stack pointer value. Question 4. Which of the following x86 instructions is typically used as a “pop‑pop‑ret” (PPR) gadget in SEH exploits? A) pop eax; pop ebx; ret B) pop esi; pop edi; ret C) pop ebp; pop ebx; ret D) pop ecx; pop edx; ret Answer: C Explanation: The sequence pop ebp; pop ebx; ret discards two stack values and returns, matching the classic PPR pattern. Question 5. In the SEH chain, what does the Next field of an _EXCEPTION_REGISTRATION_RECORD point to? A) The saved EIP of the handler B) The previous exception registration record C) The address of the exception dispatcher D) The size of the stack frame Answer: B Explanation: The Next pointer links to the previous (earlier) registration record, forming a linked list. Question 6. Which Windows API function is commonly used to retrieve the address of LoadLibraryA when writing a manual shellcode resolver? A) GetProcAddress B) VirtualAlloc
Question 9. When creating NULL‑free shellcode, which register is typically used to store the address of kernel32.dll without containing a zero byte? A) EAX B) ECX C) EDX D) EBX Answer: C Explanation: EDX is often chosen because its value can be built using arithmetic that avoids zero bytes, keeping the shellcode NULL‑free. Question 10. In IDA Pro, which view allows you to see the cross‑references to a specific function? A) Disassembly view B) Hex view C) Names window D) Graph view Answer: C Explanation: The Names window (or the Cross‑References (Xref) feature) lists all places where a function is referenced. Question 11. Which of the following is a common technique to defeat DEP without using ROP? A) Overwrite the SEH chain B) Use a stack pivot gadget C) Inject a reflective DLL that uses VirtualAlloc with PAGE_EXECUTE_READWRITE D) Exploit a format string to write over the return address
Answer: C Explanation: Reflective DLL injection can allocate executable memory via VirtualAlloc, allowing code execution despite DEP. Question 12. What does the !heap - s command display in WinDbg? A) Summary of all heap allocations for the process B) Stack trace of the last exception C) List of loaded modules with their base addresses D) Current CPU registers Answer: A Explanation: !heap - s provides a summary of heap usage, including allocation sizes and free blocks. Question 13. Which Windows mitigation makes the address of kernel32.dll unpredictable across processes? A) DEP B) ASLR C) SafeSEH D) CFG Answer: B Explanation: Address Space Layout Randomization (ASLR) randomizes the base addresses of modules like kernel32.dll. Question 14. In a ROP chain, which gadget is typically used to set up the ECX register with the value of PAGE_EXECUTE_READWRITE? A) pop ecx; ret
Question 17. Which of the following registers is NOT a general‑purpose register in x86? A) ESI B) EDI C) EIP D) EBX Answer: C Explanation: EIP is the instruction pointer, not a general‑purpose register. Question 18. When using WinDbg’s !exploitable extension, what does a result of BAD indicate? A) The crash is non‑exploitability due to missing control of EIP B) The crash is likely exploitable C) The process is running under a debugger D) The exception code is unknown Answer: B Explanation: !exploitable classifies crashes; BAD means the crash is likely exploitable. Question 19. Which calling convention passes arguments on the stack and cleans the stack by the callee? A) __stdcall B) __cdecl C) __fastcall D) __thiscall Answer: A Explanation: __stdcall pushes arguments right‑to‑left and the callee uses ret
Question 20. In a Windows SEH overwrite, which instruction must be placed immediately after the overwritten nseh value to trigger the handler? A) push ebp B) add esp, 0x C) jmp [esp] D) nop Answer: C Explanation: Overwriting nseh with a pointer to jmp [esp] (or similar) redirects execution to the controlled seh record. Question 21. What is the effect of the !runaway command in WinDbg? A) Shows a list of threads with high CPU usage B) Displays the call stack of the current thread in reverse order C) Prints memory regions that have not been freed D) Identifies functions with unusually deep recursion Answer: B Explanation: !runaway prints the call stack from the deepest frame to the top, useful for spotting runaway recursion. Question 22. Which of these is a non‑ASLR module commonly found on Windows 7 that can be used for ROP? A) ntdll.dll B) kernel32.dll C) user32.dll D) advapi32.dll
B) To leak a stack canary or address for ASLR bypass C) To overwrite the return address directly D) To trigger a DEP violation Answer: B Explanation: ReadProcessMemory can be used to read memory from the target, leaking values needed to defeat ASLR. Question 26. In WinDbg, what does the .exr - 1 command display? A) The most recent exception record B) All active threads C) The loaded modules list D) The current stack pointer value Answer: A Explanation: .exr - 1 prints the last exception record generated by the debuggee. Question 27. Which of the following is NOT a typical step in creating a position‑independent shellcode? A) Using relative addressing (e.g., call/pop) to get the current EIP B) Hard‑coding absolute addresses of API functions C) Avoiding null bytes in the payload D) Resolving imports at runtime Answer: B Explanation: Hard‑coding absolute addresses defeats position independence; shellcode must discover addresses at runtime. Question 28. What does the SafeSEH mitigation protect against?
A) Overwrites of the SEH chain with invalid handler addresses B) Execution of code on non‑executable memory C) Randomization of module base addresses D) Stack buffer overflows in kernel mode Answer: A Explanation: SafeSEH ensures that only registered exception handlers can be used, preventing arbitrary SEH overwrites. Question 29. In a ROP chain that calls VirtualProtect, which registers must contain specific values before the call? A) EAX = address, ECX = size, EDX = new protection, EBX = old protection B) EAX = pointer to VirtualProtect, EBX = lpAddress, ECX = dwSize, EDX = flNewProtect, ESI = lpflOldProtect, EDI = return address C) EAX = return address, ECX = flNewProtect, EDX = lpAddress, EBX = dwSize D) EAX = lpflOldProtect, EBX = flNewProtect, ECX = lpAddress, EDX = dwSize Answer: B Explanation: The calling convention for VirtualProtect (__stdcall) expects arguments on the stack; the typical ROP setup loads the function pointer into EAX and pushes arguments in reverse order. Question 30. Which WinDbg command can be used to set a hardware breakpoint on a specific memory address? A) bp B) ba w C) ebp D) sxe ld Answer: B
C) It is always less than 20 bytes in size D) It requires a separate loader to execute Answer: B Explanation: Null‑byte free shellcode avoids the 0x00 byte, which often terminates string processing functions. Question 34. What is the primary purpose of the !process extension in WinDbg? A) List all loaded drivers B) Show the current process and its threads C) Display the contents of the registry D) Dump the current heap Answer: B Explanation: !process provides information about processes, their IDs, and associated threads. Question 35. In the context of Windows exploits, what does ROP‑NOP refer to? A) A gadget that performs xor eax, eax; ret to zero a register B) A sequence of gadgets that effectively act as a no‑operation, allowing alignment C) A special instruction that disables DEP D) A technique to overwrite the SEH chain with a nop sled Answer: B Explanation: ROP‑NOP gadgets (e.g., add esp, 4; ret) allow the attacker to adjust stack alignment without affecting program flow. Question 36. Which of the following is true about the PEB (Process Environment Block) on Windows x86?
A) It is stored at a fixed address for all processes B) It contains a pointer to the TEB (Thread Environment Block) C) It is accessible via the FS segment register at offset 0x D) It holds the list of loaded kernel drivers Answer: C Explanation: The PEB can be accessed via fs:[0x30] in a 32‑bit process. Question 37. When using a format string to write an arbitrary value, which specifier combination is commonly used? A) %x %x %x %n B) %p %p %n %s C) %hn %hn %hn %hn D) %08x %08x %n Answer: C Explanation: %hn writes a 2‑byte half‑word; chaining several %hn allows precise overwriting of a 4‑byte address. Question 38. Which IDA Pro feature allows you to automatically rename functions based on known signatures? A) FLIRT signatures B) Hex-Rays decompiler C) Graph view D) String literals window Answer: A Explanation: FLIRT (Fast Library Identification and Recognition Technology) matches known library functions and renames them.
Answer: C Explanation: The call instruction pushes the address of the next instruction (EIP) onto the stack; it is not stored in a register. Question 42. In the context of Windows exploit development, what is a gadget? A) A small piece of legitimate code ending with ret that can be chained together B) An external library loaded at runtime C) A kernel driver used for privilege escalation D) A debugging breakpoint that logs registers Answer: A Explanation: Gadgets are short instruction sequences ending in ret, used to build ROP chains. Question 43. Which of the following is a common way to leak a heap address in a Windows application? A) Using GetVersionExA B) Exploiting an uninitialized heap variable that is later printed C) Overwriting the SEH chain D) Calling VirtualProtect with a null pointer Answer: B Explanation: An uninitialized heap variable may contain a pointer that, when displayed, reveals a heap address. Question 44. What does the .hh command in WinDbg do? A) Displays help for a specific command B) Halts the target process
C) Shows the current thread’s call stack D) Dumps the heap information Answer: A Explanation: .hh opens the help file for the specified command (e.g., .hh bp). Question 45. Which instruction is typically used in shellcode to obtain the current EIP value without calling external APIs? A) call $+5; pop eax B) jmp $+2; nop C) mov eax, [esp] D) int 0x2e Answer: A Explanation: call $+5 pushes the address of the next instruction onto the stack; pop eax retrieves it, giving the current EIP. Question 46. In a Windows 10 64‑bit environment, which mitigation makes traditional 32‑bit ROP gadgets less reliable? A) DEP B) CFG (Control Flow Guard) C) SafeSEH D) Heap Spraying Answer: B Explanation: Control Flow Guard validates indirect calls/jumps, blocking many ROP gadgets that rely on unchecked control flow.
Explanation: Heap feng‑shui is the technique of spraying and arranging heap allocations to achieve a deterministic layout. Question 50. Which WinDbg command can be used to display the contents of the thread’s TEB? A) !teb B) .teb C) !process 0 1 D) .tlist Answer: A Explanation: !teb dumps the Thread Environment Block for the current thread. Question 51. What is the primary purpose of the VirtualAlloc API in Windows exploit development? A) Allocate memory with specific protection flags, often PAGE_EXECUTE_READWRITE, for shellcode B) Load a DLL into the process address space C) Retrieve the address of a function in a loaded module D) Create a new thread in the target process Answer: A Explanation: VirtualAlloc reserves and commits memory with desired protection, enabling executable payload storage. Question 52. Which of the following registers is used by the stdcall calling convention to pass the first argument? A) ECX B) EDX
C) It is passed on the stack, not a register D) EAX Answer: C Explanation: stdcall passes all arguments on the stack; registers are not used for argument passing. Question 53. In a Windows vulnerability assessment, why is it useful to synchronize IDA Pro with a debugger like WinDbg? A) To automatically patch the binary during analysis B) To observe the real‑time values of registers and memory while stepping through disassembly C) To compile the source code from the binary D) To generate a list of all exported functions automatically Answer: B Explanation: Synchronizing allows the analyst to see how the disassembled code behaves with actual runtime data. Question 54. Which of the following is a typical indicator of a format string vulnerability in source code? A) Using scanf("%s", buf) without length limits B) Passing user‑controlled data directly as the format argument to printf C) Using strcpy without bounds checking D) Allocating memory with malloc and not checking the return value Answer: B Explanation: Supplying user input as the format string to printf, fprintf, etc., enables format string attacks.