Certified Ethical Hacker (CEH) — Question 53

How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?

Answer options

• A. Defeating the scanner from detecting any code change at the kernel
• B. Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
• C. Performing common services for the application process and replacing real applications with fake ones
• D. Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options

Correct answer: D

Explanation

The correct answer, D, describes how a rootkit can embed itself into the master boot record, allowing it to execute before the operating system loads and evade detection. Options A, B, and C involve methods that may not consistently bypass the kernel's protections, as they rely on altering system functionality or behavior that could still be monitored or detected by security software.