Which technique enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to a baseline dataset that is generated without relying on common APIs, with discrepancies indicating rootkit presence?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which technique enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to a baseline dataset that is generated without relying on common APIs, with discrepancies indicating rootkit presence?

Explanation:
Two independent views of the system are used to reveal hidden components. In this approach, you enumerate key elements like system files, running processes, and registry keys, but you do it twice: once through standard APIs (which rootkits may manipulate) and once without relying on those APIs, using a baseline dataset generated in a trusted, non-API manner. By comparing the two views, any discrepancies indicate items that are present in one view but hidden in the other, which points to a rootkit. This technique is known as cross view-based detection. It relies on the fact that rootkits can tamper with API responses, so using an alternative method that doesn’t depend on those APIs exposes the hidden elements. Runtime Execution Path Profiling, by contrast, focuses on how code executes and the control flow during runtime rather than comparing system inventories against a non-API baseline. GMER is a tool that can implement this kind of detection, but the underlying concept described is cross view-based detection.

Two independent views of the system are used to reveal hidden components. In this approach, you enumerate key elements like system files, running processes, and registry keys, but you do it twice: once through standard APIs (which rootkits may manipulate) and once without relying on those APIs, using a baseline dataset generated in a trusted, non-API manner. By comparing the two views, any discrepancies indicate items that are present in one view but hidden in the other, which points to a rootkit.

This technique is known as cross view-based detection. It relies on the fact that rootkits can tamper with API responses, so using an alternative method that doesn’t depend on those APIs exposes the hidden elements. Runtime Execution Path Profiling, by contrast, focuses on how code executes and the control flow during runtime rather than comparing system inventories against a non-API baseline. GMER is a tool that can implement this kind of detection, but the underlying concept described is cross view-based detection.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy