Take a shot at the following questions related to SEC670: Red Teaming Tools – Developing Windows Implants, Shellcode, Command and Control. You don’t need to get 100% to be a good candidate by any means, but the majority of them should be within your comfort zone, even if you don’t recall specific member offsets within structures. The structures themselves should be familiar.
Q1 – What user-mode structure has a field that maintains a doubly linked list of loaded modules?
A – the Thread Environment Block (TEB)
B – the Processor Control Block (PCB)
C – the Process Environment Block (PEB)
D – the EPROCESS structure
Q2 – For x64 systems, what segment register and offset will provide a pointer to the PEB?
A – the gs segment register and offset 60
B – the gs segment register and offset 0x60
C – the fs segment register and offset 0x30
D – the fs segment register and offset 30
Q3 – What shared data structure is located at the same virtual address for nearly every single process?
A – the Process Environment Block (PEB)
B – the Thread Environment Block (TEB)
C – the Processor Control Block (PCB)
D – KUSER_SHARED_DATA will be present in nearly every single process
Q4 – At what virtual address could you find the KUSER_SHARED_DATA structure?
A – virtual address 0x7FFE0000
B – virtual address 0xFFFF8000
C – virtual address 0x00000000
D – virtual address 0xDEADBEEF
Q5 – What KUSER_SHARED_DATA field is used to indicate if kernel debugging has been enabled?
A – KdDebuggerEnabled
B – IsBeingDebugged
C – DebuggerAttached
D – IsNotBeingDebugged
Q6 – What process enumeration API only returns a list of PIDs?
A – EnumModules
B – EnumThreads
C – CreateToolhelp32Snapshot
D – EnumProcesses
Q7 – For 64-bit systems, why is there a 32-bit and a 64-bit version of NTDLL.DLL present in Wow64 processes?
A – The system called LoadLirbary twice
B – Because 32-bit system calls aren’t implemented
C – It helps performance
D – It aids in process creation
Q8 – What calling convention allows for VARARGS?
A – __cdecl
B – __fastcall
C – __thiscall
D – __stdcall
Q9 – For 32-bit Windows APIs, what is the purpose of the MOV EDI, EDI instruction?
A – it simply zeros out the top 32 bits of the register
B – it moves the contents of EDI into EDI
C – it changes control flow by modifying EFLAGS
D – it is a glorified 2-byte NOP instruction that allows for hotpatching functions
Q10 – Where are user-mode handles stored once the kernel has created the requested object?
A – in a local variable
B – in a global variable
C – in the calling process’ handle table
D – in a doubly linked list
