CAP 4136
Malware Reverse Engineering
Midterms Exam Review (Qns & Ans)
2025
1. Which of the following tools is most commonly used for static
analysis of malware?
A. Wireshark
B. IDA Pro
C. Burp Suite
D. Nessus
- ANS: B. IDA Pro
- Rationale: IDA Pro is a popular tool for static disassembly
and reverse engineering of malware binaries.
©2025
,2. What is the purpose of the "packer" in malware?
A. To analyze malicious network traffic
B. To obfuscate and compress executable files
C. To create decoy files during attacks
D. To clean up registry traces after execution
- ANS: B. To obfuscate and compress executable files
- Rationale: Packers are used by malware authors to evade
detection by making the code harder to analyze.
3. Which of the following APIs is commonly exploited by
malware for process injection?
A. CreateFile
B. VirtualAllocEx
C. RegDeleteKey
D. ReadFile
- ANS: B. VirtualAllocEx
- Rationale: VirtualAllocEx allocates memory in another
process, which is a common step in process injection.
4. In reverse engineering, what is the significance of dynamic
analysis in a sandboxed environment?
A. It analyzes source code for vulnerabilities.
©2025
, B. It tracks the execution of malware in a controlled
environment.
C. It encrypts malware payloads for further study.
D. It visualizes memory layouts of benign executables.
- ANS: B. It tracks the execution of malware in a controlled
environment.
- Rationale: Dynamic analysis observes malware behavior in
real-time without risking the host system.
5. Which technique is used to detect polymorphic malware?
A. Pattern Matching
B. Heuristic Analysis
C. Signature-Based Detection
D. Sandboxing
- ANS: B. Heuristic Analysis
- Rationale: Heuristic methods can identify malware that
modifies itself to avoid detection by analyzing behavioral
characteristics.
---
Fill-in-the-Blank Questions
©2025
, 6. __________ is a technique where malware splits itself into
multiple modules to evade detection by security tools.
- ANS: Fragmentation
- Rationale: Fragmentation helps malware evade detection by
splitting its components into separate files or modules.
7. The __________ table in a PE file contains addresses for
external libraries used by the executable.
- ANS: Import Address Table (IAT)
- Rationale: The IAT resolves external library function calls
when the executable is loaded.
8. __________ refers to the practice of running malware in an
isolated environment to study its runtime behavior.
- ANS: Sandboxing
- Rationale: Sandboxing ensures malware execution is
confined, preventing harm to the actual system.
9. In assembly, the __________ register typically stores the
address of the top of the stack.
- ANS: ESP (Extended Stack Pointer)
- Rationale: ESP points to the top of the stack during program
execution.
©2025
Malware Reverse Engineering
Midterms Exam Review (Qns & Ans)
2025
1. Which of the following tools is most commonly used for static
analysis of malware?
A. Wireshark
B. IDA Pro
C. Burp Suite
D. Nessus
- ANS: B. IDA Pro
- Rationale: IDA Pro is a popular tool for static disassembly
and reverse engineering of malware binaries.
©2025
,2. What is the purpose of the "packer" in malware?
A. To analyze malicious network traffic
B. To obfuscate and compress executable files
C. To create decoy files during attacks
D. To clean up registry traces after execution
- ANS: B. To obfuscate and compress executable files
- Rationale: Packers are used by malware authors to evade
detection by making the code harder to analyze.
3. Which of the following APIs is commonly exploited by
malware for process injection?
A. CreateFile
B. VirtualAllocEx
C. RegDeleteKey
D. ReadFile
- ANS: B. VirtualAllocEx
- Rationale: VirtualAllocEx allocates memory in another
process, which is a common step in process injection.
4. In reverse engineering, what is the significance of dynamic
analysis in a sandboxed environment?
A. It analyzes source code for vulnerabilities.
©2025
, B. It tracks the execution of malware in a controlled
environment.
C. It encrypts malware payloads for further study.
D. It visualizes memory layouts of benign executables.
- ANS: B. It tracks the execution of malware in a controlled
environment.
- Rationale: Dynamic analysis observes malware behavior in
real-time without risking the host system.
5. Which technique is used to detect polymorphic malware?
A. Pattern Matching
B. Heuristic Analysis
C. Signature-Based Detection
D. Sandboxing
- ANS: B. Heuristic Analysis
- Rationale: Heuristic methods can identify malware that
modifies itself to avoid detection by analyzing behavioral
characteristics.
---
Fill-in-the-Blank Questions
©2025
, 6. __________ is a technique where malware splits itself into
multiple modules to evade detection by security tools.
- ANS: Fragmentation
- Rationale: Fragmentation helps malware evade detection by
splitting its components into separate files or modules.
7. The __________ table in a PE file contains addresses for
external libraries used by the executable.
- ANS: Import Address Table (IAT)
- Rationale: The IAT resolves external library function calls
when the executable is loaded.
8. __________ refers to the practice of running malware in an
isolated environment to study its runtime behavior.
- ANS: Sandboxing
- Rationale: Sandboxing ensures malware execution is
confined, preventing harm to the actual system.
9. In assembly, the __________ register typically stores the
address of the top of the stack.
- ANS: ESP (Extended Stack Pointer)
- Rationale: ESP points to the top of the stack during program
execution.
©2025
