GREM GREM Rootkit & Anti-Forensics Analysis

Question 1

What fundamentally distinguishes a kernel-mode rootkit from a user-mode rootkit?

Accepted Answer

Kernel-mode rootkits operate at CPU Ring 0 with unrestricted access, while user-mode rootkits operate at Ring 3

Answer

Kernel-mode rootkits require administrator credentials while user-mode do not

Answer

Kernel-mode rootkits only infect Linux systems

Answer

User-mode rootkits require physical hardware access to install

Question 2

What is DKOM (Direct Kernel Object Manipulation) used for by rootkits?

Accepted Answer

Hiding processes by unlinking their EPROCESS entries from the kernel's doubly linked process list

Answer

Encrypting kernel memory regions

Answer

Injecting shellcode into kernel drivers

Answer

Elevating a user-mode process to kernel privilege

Question 3

How do SSDT hook-based rootkits intercept information returned to user-mode programs?

Accepted Answer

They overwrite entries in the System Service Descriptor Table to redirect system calls to malicious handler functions

Answer

They encrypt all system calls before execution

Answer

They patch the kernel's export table

Answer

They modify the hardware interrupt descriptor table exclusively

Question 4

Which open-source tool cross-references multiple process listing sources to detect hidden processes that kernel rootkits conceal?

Accepted Answer

Process Hacker (System Informer)

Answer

Windows Task Manager

Answer

Notepad++

Answer

Windows Event Viewer

Question 5

What type of rootkit infects the Master Boot Record to execute before the operating system loads?

Accepted Answer

Bootkit

Answer

User-mode API hooking rootkit

Answer

File-infecting ring-3 rootkit

Answer

Memory-resident fileless rootkit

Question 6

Why is memory forensics with tools like Volatility more effective than live OS analysis for detecting kernel rootkits?

Accepted Answer

It analyzes raw physical memory, bypassing rootkit hooks that manipulate OS API responses

Answer

It is faster than live analysis

Answer

It requires no special tools or privileges

Answer

It can detect rootkits without a memory dump