SEC670 Prep Quiz Answers

The answers for the SEC670 Prep Quiz are listed below. For more details about the course and the quiz, please click here.

Q1 – What user-mode structure has a field that maintains a doubly linked list of loaded modules?

A – the Thread Environment Block (TEB)

B – the Processor Control Block (PCB)

C – the Process Environment Block (PEB)

D – the EPROCESS structure

Q2 – For x64 systems, what segment register and offset will provide a pointer to the PEB?

A – the gs segment register and offset 60

B – the gs segment register and offset 0x60

C – the fs segment register and offset 0x30

D – the fs segment register and offset 30

Q3 – What shared data structure is located at the same virtual address for nearly every single process?

A – the Process Environment Block (PEB)

B – the Thread Environment Block (TEB)

C – the Processor Control Block (PCB)

D – KUSER_SHARED_DATA will be present in nearly every single process

Q4 – At what virtual address could you find the KUSER_SHARED_DATA structure?

A – virtual address 0x7FFE0000

B – virtual address 0xFFFF8000

C – virtual address 0x00000000

D – virtual address 0xDEADBEEF

Q5 – What KUSER_SHARED_DATA field is used to indicate if kernel debugging has been enabled?

A – KdDebuggerEnabled

B – IsBeingDebugged

C – DebuggerAttached

D – IsNotBeingDebugged

Q6 – What process enumeration API only returns a list of PIDs?

A – EnumModules

B – EnumThreads

C – CreateToolhelp32Snapshot

D – EnumProcesses

Q7 – For 64-bit systems, why is there a 32-bit and a 64-bit version of NTDLL.DLL present in Wow64 processes?

A – The system called LoadLirbary twice

B – Because 32-bit system calls aren’t implemented

C – It helps performance

D – It aids in process creation

A more detailed answer: Windows 32-bit on Windows 64-bit (Wow64) is a Windows subsystem that emulates 32-bit programs on 64-bit systems. This is done for backwards compatibility so that 32-bit programs can still work on 64-bit systems. Since a 64-bit system only supports 64-bit system calls, a transition must take place that leaves the 32-bit version of NTDLL.DLL and effectively jumps over to the 64-bit version of NTDLL.DLL where the true system call resides. This transition has been dubbed Heaven’s Gate.

Q8 – What calling convention allows for VARARGS?

A – __cdecl

B – __fastcall

C – __thiscall

D – __stdcall

Q9 – For 32-bit Windows APIs, what is the purpose of the MOV EDI, EDI instruction?

A – it simply zeros out the top 32 bits of the register

B – it moves the contents of EDI into EDI

C – it changes control flow by modifying EFLAGS

D – it is a glorified 2-byte NOP instruction that allows for hotpatching functions

Q10 – Where are user-mode handles stored once the kernel has created the requested object?

A – in a local variable

B – in a global variable

C – in the calling process’ handle table

D – in a doubly linked list