nerdexam
EC-Council

312-50V11 · Question #309

How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?

The correct answer is D. Attaching itself to the master boot record in a hard drive and changing the machine's boot. A bootkit infects the Master Boot Record (MBR) and executes before the Windows kernel loads, allowing it to bypass kernel-mode code signing enforcement entirely.

Malware Threats

Question

How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?

Options

  • ADefeating the scanner from detecting any code change at the kernel
  • BReplacing patch system calls with its own version that hides the rootkit (attacker's) actions
  • CPerforming common services for the application process and replacing real applications with fake
  • DAttaching itself to the master boot record in a hard drive and changing the machine's boot

How the community answered

(47 responses)
  • A
    6% (3)
  • B
    9% (4)
  • C
    2% (1)
  • D
    83% (39)

Why each option

A bootkit infects the Master Boot Record (MBR) and executes before the Windows kernel loads, allowing it to bypass kernel-mode code signing enforcement entirely.

ADefeating the scanner from detecting any code change at the kernel

Defeating a scanner addresses detection evasion, not bypassing the code signing enforcement mechanism that prevents unsigned code from running in kernel mode.

BReplacing patch system calls with its own version that hides the rootkit (attacker's) actions

Replacing system calls (SSDT hooking) operates within kernel mode and would be detected and blocked by PatchGuard (Kernel Patch Protection), which specifically monitors kernel structures.

CPerforming common services for the application process and replacing real applications with fake

Replacing real applications with fake ones is a user-mode technique and does not interact with or bypass kernel-mode code signing policy.

DAttaching itself to the master boot record in a hard drive and changing the machine's bootCorrect

Windows 7 kernel-mode code signing policy (enforced by PatchGuard and driver signing requirements) is loaded during OS boot. By infecting the MBR, a bootkit gains control before the Windows kernel initializes, so code signing checks are never applied to the malicious code. This technique is the basis of 'bootkits' like TDL4/Alureon that specifically targeted Windows 7's protections.

Concept tested: Bootkit MBR infection bypassing kernel code signing

Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10

Topics

#rootkit#kernel mode#code signing#master boot record

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice