Download PrepIQ MEA Certified Exploitation Analyst Ultimate Exam and more Exams Technology in PDF only on Docsity!
Analyst Ultimate Exam
Question 1. Which of the following best describes the primary advantage of source-code auditing over binary analysis when searching for dangerous functions? A) It can locate runtime memory corruption without recompilation. B) It reveals logical flaws hidden in compiled optimizations. C) It directly shows calls to functions like strcpy, memcpy, and gets. D) It automatically generates exploit primitives. Answer: C Explanation: Source-code auditing lets reviewers see explicit calls to unsafe APIs such as strcpy, memcpy, and gets, making it easier to spot misuse without needing to reverse-engine compiled binaries. Question 2. In the vulnerability research lifecycle, which phase is responsible for determining whether a discovered flaw is worth further development? A) Discovery B) Triaging C) Exploitation D) Disclosure Answer: B Explanation: Triaging evaluates severity, reproducibility, and impact to prioritize flaws before investing time in exploit development. Question 3. When performing attack surface analysis, which of the following is NOT typically considered an input vector? A) File parsers B) Network protocol handlers C) CPU microcode updates
Analyst Ultimate Exam
D) API endpoints Answer: C Explanation: CPU microcode updates are not a direct input vector for application-level attacks; they are low-level firmware changes. Question 4. Which inter-process communication mechanism is most likely to be abused for leaking kernel pointers on Windows? A) Named pipes B) Shared memory sections C) RPC over SMB D) Clipboard data exchange Answer: B Explanation: Shared memory sections can be mapped into multiple processes, allowing a compromised process to read kernel addresses exposed in the shared region. Question 5. Which debugger is best suited for live kernel-mode analysis on Windows? A) GDB B) WinDbg C) LLDB D) OllyDbg Answer: B Explanation: WinDbg provides kernel-mode debugging capabilities, including crash dump analysis and live kernel inspection. Question 6. Intel PIN is primarily used for which of the following purposes in exploitation research?
Analyst Ultimate Exam
Question 9. Which heap management structure is used by the Windows LFH (Low-Fragmentation Heap) to reduce allocation overhead? A) Fast bins B) Lookaside lists C) Segregated bins D) Slab allocator Answer: B Explanation: Lookaside lists are per-processor caches that store freed blocks for quick reuse, characteristic of the LFH. Question 10. A “double free” vulnerability can lead to which of the following outcomes? A) Arbitrary read of kernel memory only. B) Corruption of the free-list enabling arbitrary write. C) Immediate program termination without exploitation. D) Only denial-of-service attacks. Answer: B Explanation: Freeing the same chunk twice corrupts the allocator’s free-list, which can be manipulated to achieve arbitrary memory writes. Question 11. In a use-after-free (UAF) scenario, why is the “dangling pointer” concept critical for exploitation? A) It points to a constant address that cannot be altered. B) It references memory that may be reallocated for attacker-controlled data. C) It automatically triggers a stack canary check. D) It disables ASLR for the process. Answer: B
Analyst Ultimate Exam
Explanation: After free, the pointer still references the original location; if the allocator reuses that space, attacker-controlled data can be placed there, enabling exploitation. Question 12. Which format string specifier allows an attacker to write an arbitrary 4-byte value to a memory address? A) %s B) %n C) %x D) %p Answer: B Explanation: %n writes the number of bytes printed so far to the address pointed to by the corresponding argument, enabling arbitrary writes. Question 13. What is the primary purpose of Data Execution Prevention (DEP) on modern operating systems? A) To randomize memory addresses. B) To prevent execution of code in non-executable pages. C) To enforce stack canaries. D) To limit system call numbers. Answer: B Explanation: DEP marks data regions (stack, heap) as non-executable, blocking classic code-injection attacks. Question 14. Return-Oriented Programming (ROP) chains rely on which type of code fragment? A) Inline assembly inserted by the attacker. B) Small instruction sequences ending in a ret instruction.
Analyst Ultimate Exam
Question 17. Which of the following modules is most likely to be compiled without ASLR on Windows 10? A) kernel32.dll B) ntdll.dll C) user32.dll D) winmm.dll Answer: A Explanation: Some legacy system DLLs, such as kernel32.dll, may be built without the /DYNAMICBASE flag, making them non-ASLR and useful for exploits. Question 18. Control Flow Guard (CFG) primarily protects which kind of indirect control flow? A) Direct calls to static functions. B) Indirect calls and jumps through function pointers. C) System call numbers. D) Inline assembly blocks. Answer: B Explanation: CFG validates that indirect call targets are in a pre-computed whitelist, mitigating hijacking of function pointers. Question 19. Which technique can bypass Control Flow Guard on Windows 10? A) Using a gadget located in a non-CFG-protected module. B) Overwriting the CFG bitmap directly. C) Disabling CFG via the registry. D) Triggering a stack overflow in a CFG-protected function. Answer: A
Analyst Ultimate Exam
Explanation: If an attacker can redirect execution to a module that is not compiled with CFG (e.g., a third-party DLL without /guard:cf), the validation is skipped. Question 20. In a sandbox escape, “broker process” logic flaws often lead to which of the following? A) Direct kernel memory corruption. B) Escalation of privileges through token stealing. C) Bypass of DEP on the sandboxed process. D) Remote code execution on a different machine. Answer: B Explanation: Broker processes mediate between sandboxed and privileged contexts; logic errors can allow a low-privilege process to obtain higher-privilege tokens. Question 21. Mutation-based fuzzing primarily differs from generation-based fuzzing in that it: A) Requires a formal grammar of the input format. B) Starts from valid seeds and mutates them randomly. C) Generates inputs from scratch using a model. D) Guarantees 100 % code coverage. Answer: B Explanation: Mutation fuzzers take existing valid inputs and apply random changes, whereas generation fuzzers construct inputs based on a specification. Question 22. Which of the following is a key benefit of coverage-guided fuzzing (e.g., AFL++)? A) It eliminates the need for a crash monitor.
Analyst Ultimate Exam
Question 25. In exploitability classification, a crash that results in a “read-only memory write” is considered: A) Not exploitable. B) Probably exploitable. C) Exploitable. D) Undetermined. Answer: B Explanation: Writing to a read-only page typically triggers a segmentation fault, which may allow information leakage or control-flow hijack, thus classified as probably exploitable. Question 26. Position-independent shellcode must avoid which of the following to function correctly in most injection scenarios? A. Relative addressing. B. Absolute memory references. C. Use of registers. D. Stack manipulation. Answer: B Explanation: Absolute addresses may contain null bytes or be invalid in the target’s address space; PIC uses relative offsets to stay functional. Question 27. Which Windows API function is commonly resolved via the Process Environment Block (PEB) when writing minimal shellcode? A) LoadLibraryA B) GetProcAddress C) VirtualAlloc D) ExitProcess Answer: B
Analyst Ultimate Exam
Explanation: Shellcode often walks the PEB to locate the export table of kernel32.dll and then uses GetProcAddress to resolve needed APIs. Question 28. An “egg-hunter” shellcode is primarily used when: A) The payload must be encrypted. B) The vulnerable buffer is too small to hold the full payload. C) The target process has DEP enabled. D) The attacker wants to bypass ASLR. Answer: B Explanation: Egg hunters search the process memory for a unique marker (“egg”) that precedes the larger staged payload, allowing execution despite limited buffer space. Question 29. Which encoding technique is most effective at evading signature-based AV while preserving null-free shellcode? A) Base64 encoding. B) XOR-encode with a single-byte key. C) Unicode escape sequences. D) URL percent-encoding. Answer: B Explanation: XOR-encoding with a single byte can be designed to avoid null bytes and is easily decoded at runtime, evading simple signature detection. Question 30. In a staged payload, the initial shellcode typically performs which action? A) Directly spawns a command shell. B) Downloads or reads the second stage from memory. C) Overwrites the process’s entry point permanently.
Analyst Ultimate Exam
A) To manage large allocations (>1 MB). B) To provide fast allocation of small, fixed-size blocks. C) To enforce heap integrity checks. D) To store freed memory for forensic analysis. Answer: B Explanation: The front-end allocator caches small blocks for rapid allocation/deallocation, reducing overhead for frequent small requests. Question 34. Which of the following is a typical indicator that a vulnerability is a heap-spray candidate? A) The application validates all pointer arithmetic. B) It uses a custom allocator with no randomization. C) It allocates large numbers of identical objects consecutively. D) It runs in a sandboxed environment. Answer: C Explanation: Heap spraying creates many identical objects to increase the chance that a corrupted pointer lands on attacker-controlled data. Question 35. To bypass DEP using Return-to-libc, an attacker must locate which function in a non-NX module? A) VirtualProtect B) system C) Sleep D) ExitProcess Answer: B Explanation: The system function (or WinExec) can be used to execute a command line, providing code execution without needing to inject executable pages.
Analyst Ultimate Exam
Question 36. Which of the following is a reliable method to defeat partial-overwrite ASLR on 64-bit Linux? A) Overwrite only the lower 12 bits of a function pointer. B) Use a format string to leak a full 64-bit address. C) Target a non-ASLR PIE library. D) Brute-force the high 32 bits of the address. Answer: C Explanation: Non-ASLR Position-Independent Executable (PIE) libraries have fixed offsets, allowing attackers to calculate exact addresses despite ASLR. Question 37. In the context of CET (Control-Flow Enforcement Technology), which hardware feature provides indirect-branch tracking? A) Shadow Stack B) ENDBRANCH instruction C) Intel VT-x D) SMEP Answer: B Explanation: ENDBRANCH marks valid indirect-branch destinations; attempts to jump to non-marked locations raise a fault, enforcing CFI. Question 38. Which of the following is a typical symptom of a successful sandbox escape via token manipulation? A. The process receives a “Access Denied” error when opening a file. B. The process’s integrity level changes from Low to Medium or High. C. The process crashes with a segmentation fault. D. The process’s network sockets become unavailable.
Analyst Ultimate Exam
B) ASLR
C) CFG
D) SEHOP
Answer: A Explanation: /NXCOMPAT:NO tells the OS that the binary does not support DEP, effectively disabling the NX protection for that executable. **Question 42. In Linux, the “/proc/self/maps” file is useful for: ** A) Enumerating open network sockets. B) Determining loaded module base addresses for ASLR bypass. C) Changing file permissions at runtime. D) Injecting code into another process. Answer: B Explanation: /proc/self/maps lists the memory mappings of the current process, revealing base addresses of libraries, which can be used to defeat ASLR. Question 43. Which of the following statements about “heap grooming” is true? A) It creates a deterministic layout by freeing and reallocating objects of specific sizes. B) It randomizes heap allocations to thwart attackers. C) It only works on the Windows LFH. D) It is equivalent to a stack canary bypass. Answer: A Explanation: Heap grooming manipulates the allocator to produce a predictable heap layout, facilitating exploitation of later corruptions.
Analyst Ultimate Exam
Question 44. In the context of ROP, a “stack pivot” is used to: A) Increase the size of the stack. B) Move the stack pointer to a controlled buffer containing gadgets. C) Disable DEP on the current thread. D) Overwrite the return address directly. Answer: B Explanation: A stack pivot changes ESP/RSP to point to attacker-controlled data, allowing execution of a ROP chain stored elsewhere. Question 45. Which of the following is a common method to leak a stack canary in a program that prints user-controlled data? A) Overwrite the canary with zeroes. B) Use a format-string %p specifier to read stack contents. C) Trigger a division-by-zero exception. D) Issue a system call that returns the canary. Answer: B Explanation: A %p format specifier can reveal stack values, including the canary, when the program prints user-controlled arguments. Question 46. What is the main advantage of using “libFuzzer” over a generic fuzzing engine when testing a library function? A) It automatically patches discovered bugs. B) It provides in-process coverage feedback with minimal overhead. C) It requires no source code. D) It can fuzz network protocols without a harness. Answer: B
Analyst Ultimate Exam
B) Leak the canary value and then include it correctly in the overflow payload. C) Use a format string to skip the canary. D) Disable the canary at compile time. Answer: B Explanation: Knowing the exact canary allows the attacker to place it correctly in the overflow, bypassing the integrity check. Question 50. The “shadow stack” mitigation primarily protects against which class of attacks? A) Heap overflow. B) Return-oriented programming. C) Use-after-free. D) Format-string attacks. Answer: B Explanation: A shadow stack maintains a protected copy of return addresses, detecting tampering attempts typical of ROP attacks. Question 51. Which of the following tools can automatically generate a coverage-guided fuzzing harness for a C library? A) afl-qemu-mode B) libFuzzer’s “-use_value_profile” flag C) “afl-clang-fast” compiler wrapper D) “radamsa” mutator Answer: C Explanation: afl-clang-fast instruments the target binary during compilation, producing a harness that collects coverage for AFL++.
Analyst Ultimate Exam
Question 52. In the context of shellcode, “null-free” means: A) The code does not contain any zero bytes. B) The code does not allocate memory. C) The code executes without using registers. D) The code runs in user mode only. Answer: A Explanation: Null bytes often terminate string-based payloads prematurely; null-free shellcode avoids them to ensure successful injection. Question 53. Which Windows API is commonly used by shellcode to allocate executable memory after locating the base of kernel32.dll? A) CreateThread B) VirtualAllocEx C) VirtualAlloc D) HeapCreate Answer: C Explanation: VirtualAlloc can allocate memory with PAGE_EXECUTE_READWRITE, allowing the shellcode to place further payloads. Question 54. What is the primary purpose of an “egg” in an egg-hunter payload? A) To encrypt the final payload. B) To serve as a unique marker that the hunter searches for. C) To bypass DEP by executing in a separate thread. D) To trigger a kernel-mode exception. Answer: B
