nerdexam
EC-Council

312-50V10 · Question #309

How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?

The correct answer is D. Attaching itself to the master boot record in a hard drive and changing the machine's boot. A bootkit attaches to the Master Boot Record and runs before the OS loads, bypassing Windows 7 kernel code signing enforcement entirely.

Malware Threats

Question

How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?

Options

  • ADefeating the scanner from detecting any code change at the kernel
  • BReplacing patch system calls with its own version that hides the rootkit (attacker's) actions
  • CPerforming common services for the application process and replacing real applications with fake
  • DAttaching itself to the master boot record in a hard drive and changing the machine's boot

How the community answered

(47 responses)
  • A
    17% (8)
  • B
    9% (4)
  • C
    4% (2)
  • D
    70% (33)

Why each option

A bootkit attaches to the Master Boot Record and runs before the OS loads, bypassing Windows 7 kernel code signing enforcement entirely.

ADefeating the scanner from detecting any code change at the kernel

Defeating a scanner from detecting code changes describes anti-forensic obfuscation, not a technique for bypassing the kernel code signing policy.

BReplacing patch system calls with its own version that hides the rootkit (attacker's) actions

Replacing system calls describes kernel hooking, which happens after the OS loads and would still be subject to code signing and PatchGuard checks.

CPerforming common services for the application process and replacing real applications with fake

Replacing real applications with fake ones describes user-mode trojan behavior, which does not operate at the kernel level and does not bypass code signing.

DAttaching itself to the master boot record in a hard drive and changing the machine's bootCorrect

By embedding itself in the Master Boot Record, a bootkit executes during the pre-boot phase before the Windows kernel and its code signing enforcement mechanisms are initialized. This allows the rootkit to modify the boot sequence and load unsigned or malicious kernel-mode drivers that PatchGuard and Kernel Mode Code Signing would otherwise block. Because Windows security policies have not yet been loaded at MBR execution time, the bypass is structural rather than a software exploit of those policies.

Concept tested: MBR bootkit bypass of kernel code signing policy

Source: https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/rootkits-malware

Topics

#rootkit#kernel mode signing#MBR#boot sector infection

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice