GREM Study Guide 2026

Everything you need to pass the GREM exam in one place: the exam format, every topic to study, real practice questions with explanations, flashcards, and full-length practice tests. Free, no sign-up needed.

📋 GREM Exam Format at a Glance

75
Questions
120 min
Time Limit
69%
Passing Score

📚 GREM Topics to Study (21)

✍️ Sample GREM Questions & Answers

1. Why is process injection considered an effective anti-forensics technique beyond just code execution?
It embeds malicious code inside legitimate trusted processes, causing security tools that whitelist known processes to overlook the malicious activity

Process injection hides malicious code inside trusted processes like svchost.exe, causing tools that filter by process reputation to overlook the malicious behavior entirely.

2. What is DKOM (Direct Kernel Object Manipulation) used for by rootkits?
Hiding processes by unlinking their EPROCESS entries from the kernel's doubly linked process list

DKOM rootkits directly manipulate kernel data structures such as the EPROCESS linked list to unlink hidden processes, making them invisible to OS APIs and standard task managers.

3. What is a common source of threat intelligence data?
Commercial threat intelligence feeds

Commercial threat intelligence feeds are a primary source because they aggregate, analyze, and curate vast amounts of threat data from various global sources. These feeds provide organizations with timely, actionable, and often highly specific indicators of compromise (IOCs) and threat actor information that would be difficult to gather independently.

4. Which tool is the standard choice for capturing and analyzing network packets during a malware sandbox session?
Wireshark

Wireshark is the standard packet capture and analysis tool used by malware analysts to inspect network traffic generated during sandbox execution.

5. What is the primary function of WinPmem in a rootkit forensic investigation?
Acquiring a raw physical memory dump from a live Windows system for offline analysis

WinPmem is an open-source memory acquisition tool that captures raw physical memory from a live Windows system, providing the dump needed for offline Volatility analysis.

6. Which of the following x86 instructions performs a bitwise logical AND operation but discards the result, only updating the CPU flags (like the Zero Flag)?
TEST

The `TEST` instruction computes a bitwise logical AND of its two operands and updates the CPU flags (ZF, SF, PF) based on the result, but it does not store the result in the destination operand. It is frequently used to check if a specific bit is set or if a register is zero. For example, `TEST EAX, EAX` followed by a `JZ` (Jump if Zero) is a common way to check if EAX is zero.

🎯 Free GREM Practice Tests

📖 GREM Guides & Articles

Your GREM Study Path
1. Learn with Flashcards → 2. Drill Practice Tests → 3. Take the Full Exam Simulation
GREM Study Guide 2026 — Exam Format, Topics & Practice Questions