Download PrepIQ Offensive Security Exploitation Expert OSEE Ultimate Exam and more Exams Technology in PDF only on Docsity!
Expert OSEE Ultimate Exam
Question 1. Which of the following techniques is most effective for bypassing DEP when no writable-executable memory regions are available? A) Return-to-libc B) ROP chain using existing executable gadgets C) Stack pivot to a heap-based shellcode D) Use of a JIT-spray payload Answer: B Explanation: ROP (Return-Oriented Programming) reuses existing executable code fragments (gadgets) in the process memory, allowing execution without needing new writable-executable pages, thus bypassing DEP. Question 2. When dealing with a fully randomized ASLR layout, which primitive provides the most reliable way to compute the base address of a target module? A) Heap spray B) Format string leak of a function pointer C) Brute-force page-fault timing D) NOP sled in a DLL Answer: B Explanation: A format-string vulnerability that leaks a known function pointer reveals the runtime address of that function, from which the module’s base can be derived using the known offset. Question 3. In Microsoft’s Control Flow Guard (CFG), which of the following is NOT a valid mitigation bypass technique? A) Overwriting a CFG-protected indirect call target with a legitimate function address B) Corrupting the CFG bitmap to mark malicious code as valid C) Exploiting a missing CFG entry for a COM interface method D) Using a direct call instruction instead of an indirect call
Expert OSEE Ultimate Exam
Answer: D Explanation: CFG protects only indirect calls; a direct call bypasses CFG entirely and does not need a bypass, making option D irrelevant to CFG bypasses. Question 4. Arbitrary Code Guard (ACG) primarily prevents which of the following actions? A) Execution of code on the stack B) Allocation of new executable memory regions via VirtualAlloc/VirtualProtect C) Use of ROP gadgets in existing modules D) Loading of unsigned drivers Answer: B Explanation: ACG blocks the creation of new executable pages, forcing attackers to rely on existing code (e.g., ROP) rather than injecting fresh shellcode. Question 5. Intel CET’s Shadow Stack protects against which class of attacks? A) Return-oriented programming B) Stack-based buffer overflows that overwrite return addresses C) Code-reuse attacks that manipulate indirect branches D) Heap corruption Answer: B Explanation: The shadow stack stores a protected copy of return addresses, detecting any mismatch caused by overwriting the regular stack’s return address. Question 6. Which of the following is a characteristic of the Windows Segment Heap introduced in Windows 10? A) Fixed-size allocation buckets only B) Allocation metadata stored in a separate “segment” structure per allocation group C) No support for LFH-style sub-allocation
Expert OSEE Ultimate Exam
Question 9. Which primitive is typically derived first from a Use-After-Free vulnerability? A) Arbitrary code execution B) Arbitrary read/write C) Kernel privilege escalation D) Remote code execution Answer: B Explanation: UaF usually enables reading or writing over the freed object’s memory, forming an arbitrary read/write primitive that can be leveraged further. Question 10. In a JavaScript JIT spray targeting Microsoft Edge’s Chakra engine, what is the primary purpose of the “typed array” primitive? A) To bypass Same-Origin Policy B) To achieve out-of-bounds read/write of the JIT-compiled code buffer C) To perform DNS rebinding attacks D) To execute native shellcode directly Answer: B Explanation: Typed arrays can be coerced into out-of-bounds conditions, allowing attackers to corrupt the JIT buffer and gain arbitrary read/write of executable memory. Question 11. Type confusion in a JavaScript engine often arises from which of the following? A) Incorrect handling of prototype chain inheritance B) Mis-typed inline caches that assume a specific object layout C) Failure to validate Unicode characters in strings D) Overly aggressive garbage collection Answer: B
Expert OSEE Ultimate Exam
Explanation: Inline caches store type information for fast property access; if they are mis-used, the engine may treat an object as a different type, leading to type confusion. Question 12. Which Windows sandbox component is primarily responsible for isolating file system access for a modern Edge browser tab? A) AppContainer B) Integrity Levels C) User Account Control (UAC) D) Windows Defender Application Guard Answer: A Explanation: AppContainer creates a restricted token and a virtualized file system view for each sandboxed process, limiting file system interactions. Question 13. To escape the Windows AppContainer sandbox, an attacker often targets which inter-process communication mechanism? A) Named pipes with insufficient ACLs B) Localhost TCP sockets bound to privileged ports C) DCOM objects with default permissions D) Shared memory sections created with PAGE_READWRITE Answer: A Explanation: Named pipes are frequently used for broker-to-renderer communication; mis-configured ACLs can allow a low-privilege sandboxed process to interact with higher-privileged components. Question 14. In kernel-mode exploitation, which of the following IOCTL misuse patterns is most likely to lead to an arbitrary write primitive? A) IOCTL that copies user data into a fixed-size kernel buffer without length checks B) IOCTL that returns kernel timestamps to user space C) IOCTL that merely queries driver version strings
Expert OSEE Ultimate Exam
Question 17. The primary purpose of kASLR in Windows kernel security is to: A) Randomize the location of user-mode DLLs B) Randomize the base address of the kernel and loaded drivers C) Encrypt kernel memory pages D) Prevent the loading of unsigned drivers Answer: B Explanation: Kernel Address Space Layout Randomization (kASLR) randomizes the base addresses of the kernel image and drivers to hinder reliable address-based exploits. Question 18. Which of the following is a common technique to leak a kernel pointer for defeating kASLR? A) Using a vulnerable driver that returns a kernel handle value to user space B) Reading the System Information Class “SystemModuleInformation” via NtQuerySystemInformation C) Enumerating the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management D) Accessing the %TEMP% directory from kernel mode Answer: B Explanation: NtQuerySystemInformation with the SystemModuleInformation class reveals the base addresses of loaded kernel modules, providing a kASLR leak. Question 19. Hypervisor-Enforced Code Integrity (HVCI) in Windows primarily protects against which attack vector? A) Loading of unsigned device drivers B) Execution of untrusted code in user-mode processes C) Kernel-mode code injection via unsigned or modified kernel modules D) Bypassing UAC prompts
Expert OSEE Ultimate Exam
Answer: C Explanation: HVCI ensures that only code signed by Microsoft or a trusted authority can be executed in kernel mode, blocking injected or modified kernel code. Question 20. In a token-stealing exploit, which kernel structure is typically overwritten to grant SYSTEM privileges? A) EPROCESS->Token field B) KTHREAD->Priority field C) DRIVER_OBJECT->MajorFunction table D) OBJECT_HEADER->TypeIndex Answer: A Explanation: Overwriting the current process’s EPROCESS token with the token of the SYSTEM process gives the attacker SYSTEM privileges. Question 21. When performing static analysis with IDA Pro, which feature helps identify potential gadget locations for ROP chain construction? A) Function graph view B) Hex-rays decompiler output showing “ret” instructions C) Pseudocode view highlighting indirect jumps D) The “Search → Sequence of bytes” dialog for “c3” (RET) patterns Answer: D Explanation: Searching for the byte 0xC3 (RET) or other gadget-ending opcodes helps locate ROP gadgets in the binary. Question 22. In dynamic analysis, which Windows API is most useful for monitoring memory writes to a specific address range? A) VirtualQueryEx
Expert OSEE Ultimate Exam
Question 25. Which of the following is a typical mitigation against JIT-spray attacks in modern browsers? A) Randomizing heap layout for JIT buffers B) Disabling JIT compilation entirely C) Enforcing DEP on JIT-generated pages and tagging them as non-executable until needed D) Using a separate process for each JavaScript context Answer: C Explanation: Modern browsers mark JIT pages as non-executable until they contain valid compiled code, limiting the ability to spray executable NOP sleds. Question 26. In the context of Windows kernel exploitation, what does the term “gadget chaining” refer to? A) Linking multiple driver IOCTLs to achieve privilege escalation B) Concatenating short instruction sequences ending in a return to form a ROP payload C) Combining multiple heap sprays into a single allocation D) Using multiple named pipes to communicate between sandboxed processes Answer: B Explanation: Gadget chaining is the process of assembling a sequence of ROP gadgets to perform arbitrary computation. Question 27. Which of the following is a direct consequence of enabling Control-Flow Enforcement Technology (CET) on a Windows system? A) All user-mode processes must be compiled with /CET flag B) Indirect branch tracking (IBT) will raise a #UD exception on invalid indirect branches C) The kernel disables all hardware breakpoints D) DEP is automatically disabled for performance
Expert OSEE Ultimate Exam
Answer: B Explanation: CET’s IBT feature checks that indirect branches land at valid target addresses; a violation triggers a #UD (invalid opcode) exception. Question 28. Which heap allocation pattern is most likely to cause a “double free” vulnerability? A) Allocating a buffer, freeing it, then allocating a second unrelated buffer B) Freeing a pointer without resetting it and later freeing the same pointer again C) Using HeapAlloc with HEAP_ZERO_MEMORY flag D) Allocating from the LFH lookaside list Answer: B Explanation: A double free occurs when the same pointer is freed twice without being re-initialized, potentially corrupting heap metadata. Question 29. Which of the following is the most common way to achieve arbitrary read in a kernel exploit once an arbitrary write primitive is available? A) Overwrite a function pointer to point to a user-mode address and trigger it B) Use the arbitrary write to corrupt a kernel object’s “Read” method pointer, then invoke it C) Overwrite the CR3 register to map user pages into kernel space D) Replace the contents of a kernel-mode buffer that is later copied to user space via a legitimate IOCTL Answer: D Explanation: By writing attacker-controlled data into a kernel buffer that is later copied out (e.g., via an IOCTL that reads kernel memory), the attacker can retrieve arbitrary kernel memory. Question 30. In a Windows driver, which IOCTL code format indicates that the request expects a buffered I/O transfer? A) METHOD_NEITHER
Expert OSEE Ultimate Exam
Question 33. Which Windows API can be abused to leak kernel stack addresses, assisting in bypassing SMEP/SMAP? A) NtQuerySystemInformation with SystemKernelDebuggerInformation B) ZwQueryInformationProcess with ProcessBasicInformation C) NtAllocateVirtualMemory with MEM_RESERVE flag D) GetSystemInfo Answer: A Explanation: SystemKernelDebuggerInformation can expose kernel stack pointers when a kernel debugger is attached, aiding in bypasses. Question 34. In the context of Edge’s Chakra engine, which of the following optimizations can unintentionally create a type confusion vulnerability? A) Inline caching with monomorphic assumptions that later become polymorphic B) Aggressive dead-code elimination C) Constant folding of arithmetic expressions D) Loop unrolling Answer: A Explanation: Inline caches assume a single type for a property access; when the property later receives a different type, the cache may misinterpret the object, leading to type confusion. Question 35. Which of the following Windows kernel structures contains the list of loaded drivers, useful for locating a target driver’s base address? A) PsLoadedModuleList (within the EPROCESS structure) B) KeServiceDescriptorTable C) PsActiveProcessHead D) ObpRootDirectoryObject Answer: A
Expert OSEE Ultimate Exam
Explanation: PsLoadedModuleList is a doubly-linked list of kernel modules (drivers) and provides their base addresses. Question 36. What is the main advantage of using a “ROP-NOP” gadget in a chain? A) It reduces the total number of gadgets needed B) It allows the chain to adjust the stack pointer without affecting registers C) It bypasses DEP by executing a true NOP instruction D) It encrypts the payload to evade AV detection Answer: B Explanation: A ROP-NOP (e.g., “add esp, 0x0; ret”) advances the stack pointer safely, acting as a filler or alignment gadget. Question 37. Which of the following is a typical symptom of a successful heap corruption in a Windows service? A) The service logs “Access denied” errors B) The service process crashes with an “0xC0000005” exception while handling a request C) The service restarts automatically without any log entries D) The service’s UI freezes but remains responsive to network traffic Answer: B Explanation: An access-violation (0xC0000005) during request handling often indicates corrupted heap metadata leading to illegal memory access. Question 38. In a kernel exploit, why is it advantageous to locate the “HalDispatchTable”? A) It contains pointers to user-mode callbacks that can be overwritten B) It holds function pointers that are called from user space, enabling arbitrary kernel code execution when hijacked C) It stores the system’s cryptographic keys
Expert OSEE Ultimate Exam
Question 41. Which of the following is a reliable way to locate the address of “NtAllocateVirtualMemory” in kernel memory without leaking symbols? A) Scan the kernel image for the byte pattern “48 83 EC 28” (function prologue) B) Use the SSDT (System Service Descriptor Table) to retrieve the function pointer from its index C) Read the PE header of the kernel from user space D) Query the registry key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\ SystemRoot” Answer: B Explanation: The SSDT holds pointers to system call handlers; indexing into it yields the address of NtAllocateVirtualMemory. Question 42. In a Windows kernel exploit, which of the following is a typical method to achieve privilege escalation after obtaining arbitrary kernel read/write? A) Overwrite the current process’s EPROCESS token with the token of the System process B) Patch the kernel’s CR0 register to disable SMEP C) Modify the BIOS firmware to load a malicious driver at boot D) Change the user’s password hash in the SAM database Answer: A Explanation: Replacing the token of the current process with the System token grants SYSTEM privileges directly. Question 43. Which of the following Windows API calls is most often used to trigger a “stack pivot” in a user-mode exploit? A) VirtualAllocEx B) SetThreadContext C) LoadLibraryA D) QueueUserAPC
Expert OSEE Ultimate Exam
Answer: B Explanation: SetThreadContext can modify the instruction pointer (RIP/EIP) and stack pointer, allowing an attacker to pivot the stack to controlled memory. Question 44. When analyzing a crash dump in WinDbg, which command displays the call stack of the current thread? A) !analyze -v B) kv C) lm D) .exr Answer: B Explanation: The “kv” command prints a verbose stack trace (call stack) for the current thread. Question 45. Which of the following is a key difference between the “Segment Heap” and the “Low-Fragmentation Heap”? A) Segment Heap supports per-process randomization of allocation sizes, LFH does not B) LFH stores allocation metadata in the heap header, Segment Heap stores it in separate segment structures C) Segment Heap is only used for kernel allocations, LFH is for user-mode only D) LFH provides built-in pointer encryption, Segment Heap does not Answer: B Explanation: LFH embeds metadata in the heap header; Segment Heap uses external segment structures, improving scalability. Question 46. Which of the following is the most effective way to mitigate a JIT-spray based type confusion vulnerability in a JavaScript engine? A) Disable JIT compilation for all scripts B) Randomize the location of JIT-generated code pages on each allocation
Expert OSEE Ultimate Exam
Question 49. Which of the following is the most direct method to disable SMEP on a Windows system for testing purposes? A) Set the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory\SMEP to 0 B) Use the “bcdedit /set hypervisorlaunchtype off” command C) Execute the instruction “mov cr4, cr4 & ~0x100000” from kernel mode D) Install a driver signed with the “Test Signing” flag Answer: C Explanation: SMEP is controlled by bit 20 of CR4; clearing it from kernel mode disables SMEP. Question 50. In the context of Windows kernel exploit development, what does the term “ROP-Gadget Finder” refer to? A) A tool that enumerates all exported functions from a driver DLL B) A script that searches binary modules for instruction sequences ending in “ret” or “jmp reg” useful for ROP C) A debugger plugin that visualizes the call stack D) A network scanner for vulnerable services Answer: B Explanation: A ROP-Gadget Finder scans binaries for short instruction sequences ending in a control-transfer instruction, which are then used to build ROP chains. Question 51. Which of the following best describes the effect of the “/GS” compiler flag on Windows binaries? A) Enables DEP for the compiled binary B) Inserts a stack canary to detect stack buffer overflows C) Forces all functions to use the fastcall calling convention D) Disables ASLR for the binary
Expert OSEE Ultimate Exam
Answer: B Explanation: The /GS flag adds a stack cookie (canary) that is verified before function return, helping detect stack overflows. Question 52. When exploiting a kernel-mode driver that uses “METHOD_NEITHER” for an IOCTL, which of the following is a primary risk for the attacker? A) The driver will automatically validate all user pointers B) The driver will map user buffers directly into kernel address space, allowing arbitrary read/write if pointer validation is missing C) The driver will refuse any input larger than 256 bytes D) The driver will encrypt the data before processing Answer: B Explanation: METHOD_NEITHER passes user pointers unchanged to the driver; without proper validation, an attacker can supply arbitrary kernel addresses for read/write. Question 53. Which of the following is a common mitigation that prevents the use of “jmp esp” gadgets in modules with ASLR enabled? A) Relocating all executable sections to read-only memory B) Randomizing the base address of the module, making the absolute address of “jmp esp” unpredictable C) Removing all “ret” instructions from the binary D) Encrypting the module’s code segment at runtime Answer: B Explanation: ASLR randomizes module base addresses, so fixed absolute addresses for gadgets like “jmp esp” become unreliable. Question 54. In a Windows kernel exploit, which of the following is the most reliable way to locate the address of the current process’s EPROCESS structure? A) Call NtQueryInformationProcess with ProcessBasicInformation and read the “PebBaseAddress” field
