최신 GREM 무료덤프 - GIAC Reverse Engineering Malware

A. Registering a service

B. Editing the hosts file

C. Executing Tasklist.exe

D. Performing port scanning

A. To act as a base pointer for the function's stack frame

B. To store the return address

C. To store the function's parameters

D. To accumulate results of arithmetic operations

A. It allows analysts to skip over irrelevant code segments quickly.

B. It is necessary for optimizing the malware's performance.

C. It can be used to modify the execution flow actively.

D. It helps in understanding the exact sequence of execution.

A. Buffer overflow

B. Directory traversal

C. Cross-site scripting

D. SQL injection

A. Wireshark

B. PEiD

C. Oletools

D. PDFiD

A. It triggers security warnings when opened.

B. It contains extensive text and few images.

C. The file size is smaller than average for similar documents.

D. The PDF is viewable on multiple platforms.

A. To quantify the malware's size

B. To determine the payload's execution frequency

C. To detect the presence of cryptographic routines

D. To understand the conditions for the malware's persistence or termination

A. Using encryption to hide the payload

B. Deobfuscating strings during runtime

C. Disassembling the obfuscated binary in IDA Pro

D. Analyzing encrypted traffic

A. It may be attempting to load additional assemblies during runtime.

B. It indicates the malware is written in a non-.NET language.

C. It is preparing to delete itself from the infected system.

D. It is likely interacting with the operating system at a low level.

A. Breakpoint on WriteFile

B. Dump the memory region

C. Hash comparison

D. Examine TLS callbacks

A. Strings become readable

B. New thread is created

C. API calls are resolved

D. Full PE header appears in memory

A. Increased size due to added unpacking code

B. Numerous API calls in the initial code segment

C. Embedded debugging symbols

D. Anomalous section names within the executable

A. Analyze network traffic to detect any malicious communications initiated by explorer.exe.

B. Monitor the API calls used for process injection, such as VirtualAllocEx() and CreateRemoteThread().

C. Use a tool like Procmon to observe filesystem activity.

D. Dump the memory of the explorer.exe process and search for injected code.

E. Set breakpoints at the process injection-related API calls in a debugger.

A. Using excessive whitespace in the macro code.

B. Encrypting the macro with a password.

C. Embedding the macro within a non-macro document section.

D. Storing the macro in the document header.

A. Driver installation

B. DLL mapped into memory without writing to disk

C. New registry entries

D. Process token change