The answers for the SEC670 Prep Quiz are listed below. For more details about the course and the quiz, please click here.
Q1 - What user-mode structure has a field that maintains a doubly linked list of loaded modules?
A - the Thread Environment Block (TEB)
B - the Processor Control Block (PCB)
C - the Process Environment Block (PEB)
D - the EPROCESS structure
Q2 - For x64 systems, what segment register and offset will provide a pointer to the PEB?
A - the gs segment register and offset 60
B - the gs segment register and offset 0x60
C - the fs segment register and offset 0x30
D - the fs segment register and offset 30
Q3 - What shared data structure is located at the same virtual address for nearly every single process?
A - the Process Environment Block (PEB)
B - the Thread Environment Block (TEB)
C - the Processor Control Block (PCB)
D - KUSER_SHARED_DATA will be present in nearly every single process
Q4 - With regards to the previous question, what is the virtual address of that structure?
A - virtual address 0x7FFE0000
B - virtual address 0xFFFF8000
C - virtual address 0x00000000
D - virtual address 0xDEADBEEF
Q5 - What KUSER_SHARED_DATA field is used to indicate if kernel debugging has been enabled?
A - KdDebuggerEnabled
B - IsBeingDebugged
C - DebuggerAttached
D - IsNotBeingDebugged
Q6 - What process enumeration API only returns a list of PIDs?
A - EnumModules
B - EnumThreads
C - CreateToolhelp32Snapshot
D - EnumProcesses
Q7 - For 64-bit systems, why is there a 32-bit and a 64-bit version of NTDLL.DLL present in Wow64 processes?
A - The system called LoadLirbary twice
B - Because 32-bit system calls aren't implemented
C - It helps performance
D - It aids in process creation
A more detailed answer: Windows 32-bit on Windows 64-bit (Wow64) is a Windows subsystem that emulates 32-bit programs on 64-bit systems. This is done for backwards compatibility so that 32-bit programs can still work on 64-bit systems. Since a 64-bit system only supports 64-bit system calls, a transition must take place that leaves the 32-bit version of NTDLL.DLL and effectively jumps over to the 64-bit version of NTDLL.DLL where the true system call resides. This transition has been dubbed Heaven's Gate.
Q8 - What calling convention allows for VARARGS?
A - __cdecl
B - __fastcall
C - __thiscall
D - __stdcall
Q9 - For 32-bit Windows APIs, what is the purpose of the MOV EDI, EDI instruction?
A - it simply zeros out the top 32 bits of the register
B - it moves the contents of EDI into EDI
C - it changes control flow by modifying EFLAGS
D - it is a glorified 2-byte NOP instruction that allows for hotpatching functions
Q10 - Where are user-mode handles stored once the kernel has created the requested object?
A - in a local variable
B - in a global variable
C - in the calling process' handle table
D - in a doubly linked list
