Module 3

Question 1

What is the primary purpose of building custom payloads using raw shellcode instead of using ready-to-run payloads from C2 frameworks?

Answer 1

It is beneficial in situations like initial access where custom payloads may evade defenses more effectively.

Question 2

What is the Portable Executable (PE) file format?

Answer 2

It’s a file format for executables and DLLs that holds information necessary for the operating system to load a program into memory.

Question 3

What is the fixed size of the DOS header (IMAGE_DOS_HEADER) at the start of every PE file?

Answer 3

The DOS header is a fixed 64-byte structure.

Question 4

What is the constant 2-byte value found in the ‘e_magic’ member of the DOS header, and what does it represent in ASCII?

Answer 4

The value is ‘4D 5A’, which represents ‘MZ’ in ASCII, serving as a signature for the PE file.

Question 5

Which member of the DOS header contains an offset to the PE signature at the start of the NT headers?

Answer 5

The ‘e_lfanew’ member.

Question 6

At what fixed offset from the start of a PE file is the ‘e_lfanew’ member located?

Answer 6

It is always located at an offset of ‘3C’ (60 in decimal).

Question 7

What is the primary function of the DOS stub in a modern Windows environment?

Answer 7

The modern Windows loader uses the offset in ‘e_lfanew’ to skip over the stub and go directly to the NT headers.

Question 8

The constant 4-byte value ‘50 45 00 00’ (‘PE\0\0’) at the beginning of the NT headers is known as the _____.

Answer 8

PE signature

Question 9

In the PE file header (IMAGE_FILE_HEADER), what does the ‘Machine’ member indicate?

Answer 9

It indicates the CPU architecture the PE file is compiled for.

Question 10

What information is held in the ‘NumberOfSections’ member of the PE file header?

Answer 10

It holds the total number of sections the PE file has.

Question 11

Which member of the Optional Header determines if a PE image is 32-bit (PE32) or 64-bit (PE32+)?

Answer 11

The ‘Magic’ member.

Question 12

What does the ‘AddressOfEntryPoint’ member in the Optional Header specify?

Answer 12

It specifies the address of the PE’s entry point relative to the image base when loaded into memory.

Question 13

What is the ‘ImageBase’ in the Optional Header?

Answer 13

It is the preferred base address for the PE image to be loaded into memory.

Question 14

The _____ contains information needed by the Windows loader, such as details of the DLLs that a PE requires to function.

Answer 14

import directory

Question 15

Which PE section typically contains the executable code of the program?

Answer 15

The ‘.text’ section.

Question 16

Which PE section contains resources used by a program, such as icons and images?

Answer 16

The ‘.rsrc’ section.

Question 17

In a section header, what is the difference between ‘VirtualSize’ and ‘SizeOfRawData’?

Answer 17

‘VirtualSize’ is the total size of the section in memory, while ‘SizeOfRawData’ is its size on disk, which may differ due to padding.

Question 18

What do the ‘Characteristics’ in a PE section header describe?

Answer 18

They are a set of flags that describe attributes of the section, including its final memory permissions (e.g., R, RW, RX).

Question 19

Distinguish between a ‘program’ and a ‘process’.

Answer 19

A program is a compiled PE file, while a process is a container that holds the resources for a running instance of that program.

Question 20

Which Windows API is the simplest way to create a new process that has the same access token as the caller?

Answer 20

CreateProcessW.

Question 21

Ultimately, process creation APIs like CreateProcessW and CreateProcessAsUserW call into which kernel function?

Answer 21

NtCreateUserProcess.

Question 22

What is a thread in the context of the Windows OS?

Answer 22

A thread is an object that Windows schedules for execution within a process, holding the CPU state and a call stack.

Question 23

Which API creates a new thread within the calling process’s address space?

Answer 23

CreateThread.

Question 24

To create a new thread in a different process, which API would you use?

Answer 24

CreateRemoteThread.

Question 25

How does the Windows memory manager handle a process's virtual memory?

Answer 25

It transparently maps a process's virtual memory to physical memory and may page data to disk when needed.

Question 26

The 'Virtual APIs' like VirtualAlloc always allocate memory that is rounded up to the nearest complete _____.

Answer 26

page

Question 27

For managing memory allocations that are smaller than a page, which family of APIs should be used?

Answer 27

The Heap APIs, such as HeapAlloc.

Question 28

What is the purpose of memory-mapping APIs like CreateFileMappingA and MapViewOfFile?

Answer 28

They are designed to map files into memory from disk and can be used to share memory mappings across processes.

Question 29

What is a primary access token in the context of a Windows process?

Answer 29

It is an object assigned to a process at creation that describes the security context of the user who started it.

Question 30

What specifies who has what access to a securable object like a file or process in Windows?

Answer 30

The object's discretionary access control list (DACL).

Question 31

What does a 'privilege' grant to a security principal in Windows?

Answer 31

It grants the right to perform a specific system-related operation, like changing the time zone or shutting down the computer.

Question 32

Which API must a process use to enable a privilege within its access token before performing a privileged operation?

Answer 32

AdjustTokenPrivileges.

Question 33

Which powerful privilege allows a user to obtain read/write handles to any process, even those owned by other users or SYSTEM?

Answer 33

SeDebugPrivilege.

Question 34

The _____ privilege allows a user to create arbitrary access tokens to impersonate any user with any privilege.

Answer 34

SeCreateTokenPrivilege

Question 35

What is the difference between 'graceful' and 'ungraceful' process termination?

Answer 35

Graceful termination (ExitProcess) allows loaded modules to clean up, while ungraceful termination (TerminateProcess) ends threads abruptly.

Question 36

Which API can only be used by a program to terminate itself?

Answer 36

ExitProcess.

Question 37

According to MITRE, process injection is a technique for _____ and _____.

Answer 37

privilege escalation, defense evasion

Question 38

What are the three high-level steps required for most process injection techniques?

Answer 38

Allocate memory in the process, copy shellcode into it, and execute the shellcode.

Question 39

The 'classic' remote injection technique uses which three key Win32 APIs in sequence?

Answer 39

VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

Question 40

To perform classic injection on a remote process, what must be obtained first using its Process ID (PID)?

Answer 40

A handle to the target process, typically using the OpenProcess API.

Question 41

What is the core idea behind the 'thread hijacking' evasion technique?

Answer 41

Create a new thread in a suspended state pointing to a benign location, then later change its context to point to the shellcode before resuming it.

Question 42

In thread hijacking, which flag is passed to CreateThread to start the new thread in a non-executing state?

Answer 42

CREATE_SUSPENDED.

Question 43

After creating a suspended thread, which two APIs are used to modify its execution context to point to the shellcode?

Answer 43

GetThreadContext and SetThreadContext.

Question 44

How is shellcode executed using the Asynchronous Procedure Call (APC) injection technique?

Answer 44

An APC pointing to the shellcode is queued on an existing thread, which executes it when the thread enters an 'alertable' state.

Question 45

To queue an APC on a thread in another process, you must first obtain a thread ID by performing a _____.

Answer 45

thread walk

Question 46

Which API is used to queue an Asynchronous Procedure Call on a target thread?

Answer 46

QueueUserAPC.

Question 47

What is the primary risk or downside of the standard APC injection method?

Answer 47

There is no guarantee that the selected thread will ever enter an alertable state, meaning the shellcode may not run.

Question 48

How does the 'early bird' technique overcome the main downside of standard APC injection?

Answer 48

It spawns a new process in a suspended state, queues the APC on its primary thread, and then resumes it, guaranteeing the APC will trigger.

Question 49

What is the fundamental concept of process hollowing?

Answer 49

It involves starting a process in a suspended state, unmapping its original PE from memory, and mapping a new PE in its place.

Question 50

In the simplified process hollowing example, instead of unmapping the PE, what is done to execute the shellcode?

Answer 50

The PE's entry point in memory is overwritten with the shellcode.

Question 51

To find a process's image base address for hollowing, the native API _____ is used to get the PEB address.

Answer 51

NtQueryInformationProcess

Question 52

After getting the image base address from the PEB, the _____ value from the DOS header is used to locate the NT header.

Answer 52

e_lfanew

Question 53

Once the NT header is located in memory, the RVA of the PE's entry point is found in which specific field?

Answer 53

OptionalHeader->AddressOfEntryPoint.

Question 54

What does Platform Invoke (P/Invoke) allow a C# developer to do?

Answer 54

It allows managed C# code to access functions in unmanaged libraries, such as the Win32 APIs in kernel32.dll.

Question 55

In C# P/Invoke, functions from unmanaged libraries are declared with the `extern` keyword and the _____ attribute.

Answer 55

DllImport

Question 56

Setting `SetLastError = true` in the `DllImport` attribute allows you to retrieve the last API error code using which .NET class and method?

Answer 56

The `Marshal.GetLastWin32Error()` method.

Question 57

What is the purpose of using the `DefaultDllImportSearchPaths` attribute in a P/Invoke declaration?

Answer 57

It protects against DLL hijacking by forcing the application to look for the DLL in a secure location like System32.

Question 58

Why must a developer manually define structures like `PROCESS_ACCESS_RIGHTS` when using P/Invoke?

Answer 58

Because managed C# code does not have access to the Windows headers (like Windows.h) where these types are originally defined.

Question 59

In P/Invoke, what is the process of converting managed types like C# strings into the correct format for an unmanaged API called?

Answer 59

Marshalling.

Question 60

To correctly marshal a C# string for a WinAPI function that expects a Unicode string (a 'W' variant), which attribute should be added to the `DllImport` declaration?

Answer 60

CharSet = CharSet.Unicode.