Intercepts# Rootkits Q1: A rootkit is a tool that _________ kernel-mode software calls
alternate#Rootkits Q2: Instead of allowing commands to be processed normally by the Windows Kernel, rootkits provides an ________ response
Hacker Defender#Rootkits Q3: This is more of a 'blackhat' tool than a training example __________ . 
FU#Rootkits Q4: The __ rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking. 
WinlogonHijack#Rootkits Q5: Injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext. 
NT rootkit#Rootkits Q6: The original and first public NT rootkit 
vanquish#Rootkits Q7: a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords
klister#Rootkits Q8: simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu').
Patchfinder2#Rootkits Q9: implements Execution Path Analysis technique for Windows 2000 systems. EPA is intended to detect various kernel and DLL rookits in the system. 
/proc#Rootkits Q10: In UNIX implementation, process information is mapped to directory in “_____” file system.
/proc/net/tcp and /proc/net/udp#Rootkits Q11: Similar to process hiding, hiding network connection can be done by preventing it to be log inside ______ and ______ files.
sys_read()#Rootkits Q12: The idea for kernel rootkit is trojaned the _______.
sys_ioctl()#Rootkits Q13: To hide the sniffer is basically hiding the promiscuous flag of the network interface. The system call to Trojan in this case is _______ .
A#Rootkits Q14: The LKM's in the system are kept in a single linked list, to hide the present of LKM rootkit, the LKM rootkit can	^A: remove it from the list	^B: rename the list	^c: delete the list	^D: add an entry to the list
EXPORT_NO_SYMBOLS#Rootkist Q15: Normally functions defined in the LKM will be exported so that other LKM can use them. Hiding these symbols is necessary and macro can be used is ____________. This will prevent any symbol from being exported.
D#Rootkits Q16: How can you communicate with a rootkit?	A^: just start SSHD	^B: the rootkit creates a listnerprogram	^C: commands are received by ICMP	^D: kernel rootkit have to modify some system calls.
sys_execve()#Rootkits Q17: To Redirect File execution the kernel rootkit can replace the:________ Thus, whenever the system tries to execute the "login" program, it will be re-directed to execute the attacker's version of login program.
Host Hardening, Systems patch and update#Q18Rootkits Q18: What is the best defense against rootkits? ____ _______, ______ ______ and ________