312-50V11 · Question #309
How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?
The correct answer is D. Attaching itself to the master boot record in a hard drive and changing the machine's boot. A bootkit infects the Master Boot Record (MBR) and executes before the Windows kernel loads, allowing it to bypass kernel-mode code signing enforcement entirely.
Question
How can a rootkit bypass Windows 7 operating system's kernel mode, code signing policy?
Options
- ADefeating the scanner from detecting any code change at the kernel
- BReplacing patch system calls with its own version that hides the rootkit (attacker's) actions
- CPerforming common services for the application process and replacing real applications with fake
- DAttaching itself to the master boot record in a hard drive and changing the machine's boot
How the community answered
(47 responses)- A6% (3)
- B9% (4)
- C2% (1)
- D83% (39)
Why each option
A bootkit infects the Master Boot Record (MBR) and executes before the Windows kernel loads, allowing it to bypass kernel-mode code signing enforcement entirely.
Defeating a scanner addresses detection evasion, not bypassing the code signing enforcement mechanism that prevents unsigned code from running in kernel mode.
Replacing system calls (SSDT hooking) operates within kernel mode and would be detected and blocked by PatchGuard (Kernel Patch Protection), which specifically monitors kernel structures.
Replacing real applications with fake ones is a user-mode technique and does not interact with or bypass kernel-mode code signing policy.
Windows 7 kernel-mode code signing policy (enforced by PatchGuard and driver signing requirements) is loaded during OS boot. By infecting the MBR, a bootkit gains control before the Windows kernel initializes, so code signing checks are never applied to the malicious code. This technique is the basis of 'bootkits' like TDL4/Alureon that specifically targeted Windows 7's protections.
Concept tested: Bootkit MBR infection bypassing kernel code signing
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
Topics
Community Discussion
No community discussion yet for this question.