Avira Protection Services Online Test

Avira Operations GmbH & Co KG Hiring Test

Hiring Test – 120 minutes Please send us all your created material by mail after finishing the tasks.

1. What is the difference between following ASM instructions: (1 minute) mov eax, 0 sub eax, eax xor eax, eax

2. What is the purpose of this code snippet? (1 minute) 00401000 E8 00000000 call 00401005 00401005 5B pop ebx 00401006 81EB 05104000 sub ebx, 00401005

3. What is the purpose of this code snippet? (2 minutes) mov eax, 00431b54 push eax push dword ptr fs:[0] mov dword ptr fs:[0], esp xor eax, eax mov dword ptr [eax], ecx

4. What do some malware cryptors do with the "fnstenv" instruction? (2 minutes)

5. Why does malware uses eventvwr.exe? (2 minutes)

6. Why would a malware sample use WMIPrvse.exe (WMI)? (2 minutes)

© Avira Operations GmbH & Co. KG | Confidential |Page 1


7. Write C or Python code for this assembler code (12 minutes) buf db 10 dup (0) func: mov eax, dword ptr [value] mov esi, 10h xor ecx, ecx label1: xor edx, edx div esi push edx inc ecx or eax, eax jnz label1 mov edi, offset buf label2: pop eax add eax, '0' stosb loop label2 xor eax, eax stosb ret



8. Write C or Python code for this assembler code (12 minutes) xor eax, eax mov word ptr ss:[ebp-30h], 01h xor ecx, ecx label1: mov byte ptr ss:[ebp+ecx-130h], cl inc ecx cmp ecx, 100h jl label1 xor ecx, ecx label2: mov dl, byte ptr ss:[input+eax] xor byte ptr ss:[ebp+ecx-130h], dl inc eax cmp eax, dword ptr ds:[inputlen] jl label3 xor eax, eax label3: inc ecx cmp ecx, 100h jl label2



9. The following C code contains 5 syntax or logical errors. Please find them all and explain what is wrong. (5 minutes)

10. Identify the following x86-assembly code snippet by the first few instructions. (2 minutes) pusha mov esi, dword ptr [esp+24h] mov edi, dword ptr [esp+28h] cld mov dl, 80h xor ebx, ebx label_1: movsb es:[edi], [esi] mov bl, 02h call func_1 jnb label_1 [...]



11. Identify the following Python code snippet or at least ro ughly describe what it does. (5 minutes) def func(var_a, var_b): x = 0 var_c = range(256) for i in range(256): x = (x + var_c[i] + ord(var_b[i % len(var_b)])) % 256 var_c[i], var_c[x] = var_c[x], var_c[i] x, y = 0, 0 out = [] for char in var_a: x = (x + 1) % 256 y = (y + var_c[x]) % 256 var_c[x], var_c[y] = var_c[y], var_c[x] out.append(chr(ord(char) ^ var_c[(var_c[x] + var_c[y]) % 256])) return ''.join(out)

12. How could you ensure that the Windows loader executes some code before the entrypoint of a Windows PE file? (1 minute)

13. What do you think, if you see "Th is progr am canno t be" in a malware sample (some spaces are nullbytes)? (1 minute)

14. What do you think, if you see "M8Z" in a malware sample? (1 minute)

15. What is a “SQL-Injection”? (3 minutes)

16. What are the advantages and disadvantages of kernel-mode hooking versus user-mode hooking? (3 minutes)



17. Why does malware inject into other processes? (3 minutes)

18. How could an AV product prevent malware injection from being successful? (4 minutes)

19. What was the most interesting rootkit/exploit you analyzed and why was it interesting? (5 minutes)

20. Name 3 anti-debugging tricks. (5 minutes)

21. What do you call the type of attack when an attacker has samples of both the plaintext and its encrypted version (ciphertext) and is at liberty to make use of them to reveal further secret information such as a secret key? What other attack models for cryptanalysis do you know? (3 minutes)

22. What is the purpose of doing forensic on an infected machine? (5 minutes)

23. What is sinkholing? (3 minutes)

24. How does single stepping work at CPU level? (2 minutes)

25. What is ROP? Describe roughly (3 minutes)

26. What are the advantages and disadvantages of emulation-based detections? Did you work on such a system? (5 minutes)

27. What are advantages and disadvantages of behavior-based detections? Did you work on such a system? (5 minutes)



28. What do you consider the biggest flaws of nowadays antivirus protection technologies? (4 minutes)

29. What are advantages of detection in the cloud? (4 minutes)

30. A new entry is made in the following paths in the Windows Registry. Which entries cause a program to be loaded when Windows is started? Place a check mark beside the correct options (2 minutes) HKLM\System\CurrentControlSet\Services HKLM\System\Select HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

31. Explain the difference between a “sandbox” and a “virtual machine” (2 minutes)

32. What is the purpose of the IP address range 10.0 .x.x? What other address ranges besides 10.0.x.x also fulfill this function? (2 minutes)

33. What can you tell about these chunks of data? (2 minutes)



34. What can you tell about the process list below? (4 minutes)



35. What irregularities do you discover for this Microsoft PE file? (2 minutes)


Avira Protection Services Online Test

Recommend Documents