adplus-dvertising
frame-decoration

Question

What is the weakness in Defender's technique of obfuscating API calls?

a.

The implementation maintains the APIs order from the export table

b.

It is not possible to retrieve the API name from its checksum

c.

It is possible to directly step into the kernel in a kernel debugger to find out which API is being called

d.

Randomly reorganizing the table during initialization

Posted under Reverse Engineering

Answer: (c).It is possible to directly step into the kernel in a kernel debugger to find out which API is being called Explanation:For some APIs, it is possible to just directly step into the kernel in a kernel debugger and find out which API is being called.

Engage with the Community - Add Your Comment

Confused About the Answer? Ask for Details Here.

Know the Explanation? Add it Here.

Q. What is the weakness in Defender's technique of obfuscating API calls?

Similar Questions

Discover Related MCQs

Q. What was the purpose of adding the call to IsDebuggerPresent API in Defender?

Q. What is the impact of obfuscating the interface with the operating system?

Q. What is the purpose of the Processor Time-Stamp Verification Thread in Defender?

Q. Why is it important to directly access the hardware time-stamp counter using a low-level instruction in the Processor Time-Stamp Verification Thread?

Q. What would happen if the encryption on each key function was not implemented in the Processor Time-Stamp Verification Thread?

Q. What modifications can be made to a time-stamp verification thread to make it more difficult to remove?

Q. Is the current implementation of the verification thread safe for commercial use?

Q. What changes should be made to the counter constant in a commercial product environment?

Q. What priority should the verification thread be set to in a commercial product environment?

Q. What is the purpose of adding periodical checksum calculations from the main thread?

Q. Why should the actual checksum verifications be inlined?

Q. What should be done with the verification thread in a commercial product environment?

Q. What is the advantage of generating decryption keys in runtime?

Q. What are interdependent keys?

Q. How does Defender use interdependent keys?

Q. What is a cryptographic hash algorithm?

Q. How does Defender generate decryption keys?

Q. What is the purpose of dongle protection?

Q. Why was the Chained Block Cipher in Defender crackable?

Q. What would make cracking Defender more difficult?