Which of the following of the MOST likely reason the analyst cannot find a process ID for the shell?

A forensic analyst suspects that a buffer overflow exists in a kernel module. The analyst executes the following command: dd if=/dev/ram of=/tmp/mem/dmp
The analyst then reviews the associated output:
^34^#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/bin/bash^21^03#45
However, the analyst is unable to find any evidence of the running shell.
Which of the following of the MOST likely reason the analyst cannot find a process ID for the shell?
A. The NX bit is enabled
B. The system uses ASLR
C. The shell is obfuscated
D. The code uses dynamic libraries

How to PASS CAS-004 in First Attempt?

FULL Printable PDF and Software. VALID exam to help you PASS.

comptia-exams

2 thoughts on “Which of the following of the MOST likely reason the analyst cannot find a process ID for the shell?

  1. I would go with B (ASLR).

    From CASP’s official prep book:

    “Address space layout randomization (ASLR) is an operating system technique that randomizes where components of a running process (the base executable, application programming interfaces [APIs], the heap, etc.) are placed in memory. This makes it more difficult for an attacker to aim a buffer overflow at specific points in the address space.
    ASLR mechanisms can prevent intentional software crashes that could also lead to privilege escalation attacks. Most modern OSes provide code libraries that support ASLR use. For example, on Windows, you can integrate ASLR-enabled executables and dynamic link libraries (DLL) in your app. Keep in mind, however, that some attacks have proven effective against ASLR—so don’t mistake it for a flawless countermeasure to memory-based threats.”

    Discussion:
    https://vceguide.com/which-of-the-following-of-the-most-likely-reason-the-analyst-cannot-find-a-process-id-for-the-shell/

  2. I would go with B (ASLR).

    From CASP’s official prep book:

    “Address space layout randomization (ASLR) is an operating system technique that randomizes where components of a running process (the base executable, application programming interfaces [APIs], the heap, etc.) are placed in memory. This makes it more difficult for an attacker to aim a buffer overflow at specific points in the address space.
    ASLR mechanisms can prevent intentional software crashes that could also lead to privilege escalation attacks. Most modern OSes provide code libraries that support ASLR use. For example, on Windows, you can integrate ASLR-enabled executables and dynamic link libraries (DLL) in your app. Keep in mind, however, that some attacks have proven effective against ASLR—so don’t mistake it for a flawless countermeasure to memory-based threats.”

    Discussion:
    https://vceguide.com/which-of-the-following-of-the-most-likely-reason-the-analyst-cannot-find-a-process-id-for-the-shell/

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.