GIAC
GCIH · Question #87
GCIH Question #87: Real Exam Question with Answer & Explanation
The correct answer is C: Hypervisor rootkit. A hypervisor rootkit operates below the operating system by inserting a virtualization layer, causing the legitimate OS to run as a guest VM so the rootkit can intercept all hardware calls.
Malware Analysis & Advanced Persistent Threats
Question
Which of the following rootkits is able to load the original operating system as a virtual machine, thereby enabling it to intercept all hardware calls made by the original operating system?
Options
- AKernel level rootkit
- BBoot loader rootkit
- CHypervisor rootkit
- DLibrary rootkit
Explanation
A hypervisor rootkit operates below the operating system by inserting a virtualization layer, causing the legitimate OS to run as a guest VM so the rootkit can intercept all hardware calls.
Common mistakes.
- A. Kernel-level rootkits operate by modifying or inserting modules directly into the OS kernel space, giving them high privilege but not the ability to virtualize the OS or intercept hardware calls beneath the OS layer.
- B. Boot loader rootkits infect the MBR or VBR to execute before the OS loads, allowing persistence, but they do not create a hypervisor virtualization layer to trap hardware calls.
- D. Library rootkits function at user space by replacing or patching shared libraries such as libc to hook API calls, giving them only user-mode visibility rather than hardware-level interception.
Concept tested. Hypervisor rootkit virtualization-layer interception
Reference. https://learn.microsoft.com/en-us/windows/security/threat-protection/intelligence/rootkits-malware
Topics
#hypervisor rootkit#rootkit types#virtualization#malware
Community Discussion
No community discussion yet for this question.