100+ Free GREM Practice Questions

Pass your GIAC Reverse Engineering Malware (GREM) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70-75% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which file format identifier (magic bytes) at offset 0 indicates a Windows Portable Executable (PE) file?

MZ (0x4D 0x5A)

ELF (0x7F 0x45 0x4C 0x46)

PE (0x50 0x45)

CAFEBABE (0xCA 0xFE 0xBA 0xBE)

to track

2026 Statistics

Key Facts: GREM Exam

Questions

GIAC

73%

Passing Score

GIAC

180 min

Duration

GIAC

$979

Exam Fee

GIAC (retake)

4 years

Validity

GIAC

Open Book

Format

Index-based

GREM validates advanced malware reverse engineering skills. The exam has 75 questions in 3 hours with a 73% passing score. Topics include static analysis (IDA Pro, Ghidra, PEview), dynamic analysis (FakeNet-NG, Process Monitor, Noriben, INetSim), x86/x64 assembly, unpacking (OllyDbg, x64dbg), anti-analysis bypass, malicious document triage (oletools, olevba), JavaScript de-obfuscation (box-js, malware-jail), shellcode analysis (scdbg, speakeasy), .NET reverse engineering (dnSpy), and YARA rule writing. GREM is open book (index-based) and valid 4 years.

Sample GREM Practice Questions

Try these sample questions to test your GREM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which file format identifier (magic bytes) at offset 0 indicates a Windows Portable Executable (PE) file?

A.MZ (0x4D 0x5A)

B.ELF (0x7F 0x45 0x4C 0x46)

C.PE (0x50 0x45)

D.CAFEBABE (0xCA 0xFE 0xBA 0xBE)

Explanation: Windows PE files begin with the DOS header, which starts with the ASCII 'MZ' (bytes 0x4D 0x5A) — named after Mark Zbikowski. The actual 'PE' signature (0x50 0x45 0x00 0x00) appears later at the offset pointed to by e_lfanew. ELF is the Linux format, and CAFEBABE identifies Java class files or Mach-O fat binaries.

2Which tool is designed to identify packers, compilers, and protectors used on a PE file by analyzing signatures and entropy?

A.Process Monitor

B.Detect It Easy (DiE)

C.Wireshark

D.Regshot

Explanation: Detect It Easy (DiE) is a signature-based tool that identifies compilers, packers (UPX, Themida, VMProtect, ASPack), and protectors on PE, ELF, and Mach-O files. It also reports section entropy, which is useful for spotting packed sections. Process Monitor captures runtime file/registry events, Wireshark captures network traffic, and Regshot diffs registry snapshots.

3When performing manual UPX unpacking in x64dbg, which technique uses the stack pointer to locate the Original Entry Point (OEP)?

A.API hashing trick

B.ESP trick (stack pointer breakpoint)

C.PEB walking

D.Egg hunting

Explanation: The ESP trick (also called the stack pointer trick) is a classic manual unpacking technique. After the unpacker stub saves registers (PUSHAD), the analyst sets a hardware breakpoint on the saved ESP value. When the stub restores registers (POPAD) before jumping to the OEP, the breakpoint triggers — landing the analyst at or near the OEP. This works well for UPX and similar stack-preserving packers.

4Which command-line tool from the oletools suite is specifically designed to extract and analyze VBA macros from Office documents?

A.oleid

B.olevba

C.olemap

D.rtfobj

Explanation: olevba is part of Philippe Lagadec's oletools suite and is designed specifically to extract VBA macro code, detect suspicious keywords/IOCs, and deobfuscate common tricks. oleid identifies document type and features, olemap shows OLE stream structure, and rtfobj extracts embedded objects from RTF files.

5In x86 assembly, which calling convention passes the first argument via ECX and is used for C++ instance methods on Microsoft compilers?

A.cdecl

B.stdcall

C.fastcall

D.thiscall

Explanation: thiscall is Microsoft's C++ instance method calling convention. The 'this' pointer is passed in ECX, and remaining arguments are pushed on the stack right-to-left. The callee cleans up the stack. cdecl passes all arguments on the stack (caller cleans), stdcall does the same but callee cleans, and fastcall (Microsoft variant) uses ECX and EDX for the first two DWORD arguments.

6Which FakeNet-NG feature allows malware to 'see' responses from fake services like DNS, HTTP, and SMTP while preventing actual network egress?

A.Raw packet interception only

B.Diverter module with interception and responder services

C.VPN tunneling

D.TLS termination proxy

Explanation: FakeNet-NG uses a Diverter module (leveraging WinDivert on Windows) to intercept all outbound traffic and redirect it to internal responder services (DNS, HTTP, HTTPS, SMTP, FTP, IRC, POP3, and more). The malware believes it is communicating with real servers, enabling full behavioral analysis in an isolated environment. The tool logs every request for IOC extraction.

7Which Volatility 3 plugin lists currently running processes with PID, PPID, and command line from a Windows memory image?

A.windows.pslist

B.windows.psscan

C.windows.cmdline

D.windows.pstree

Explanation: windows.pslist walks the PsActiveProcessHead doubly linked list to enumerate currently running processes. windows.psscan uses pool tag scanning to find hidden/exited processes. windows.cmdline extracts command lines specifically, and windows.pstree shows parent-child relationships. Many analysts run all four and diff the output to detect rootkit unlinking.

8What is the purpose of API hashing in malware?

A.Encrypting API response data

B.Obscuring imported function names so they do not appear in the import table or strings

C.Hashing files before upload to C2

D.Checksumming code for integrity

Explanation: API hashing hides malware's imported functions from static analysis. Instead of linking to functions like VirtualAlloc by name (which would appear in the import table or strings), the malware walks the loaded DLL's export table at runtime, hashing each name and comparing to a target hash. This defeats simple string and import-table analysis and is common in shellcode, Cobalt Strike, and PIC loaders.

9Which YARA condition would match a file whose size is less than 500KB AND contains the string 'evil'?

A.filesize < 500KB and $evil

B.filesize < 500000 and $evil

C.filesize < 500KB or $evil

D.size < 500KB && $evil

Explanation: YARA's filesize keyword takes a raw byte count. KB/MB suffixes are supported in YARA (500KB works), but the canonical byte form is 500000 — both should be accepted. The logical AND keyword in YARA is 'and' (not '&&'), and the string reference uses the $-prefixed identifier. Option B is unambiguously correct; option A is also valid YARA syntax, but the question asks for the byte form.

10Which disassembler/decompiler is developed and released by the NSA as an open-source alternative to IDA Pro?

A.Binary Ninja

B.radare2

C.Ghidra

D.Hopper

Explanation: Ghidra is an open-source software reverse engineering framework released by the NSA in 2019. It includes a powerful decompiler, supports many architectures, and is freely available. Binary Ninja and Hopper are commercial products, and radare2 is an unrelated open-source project.

About the GREM Exam

The GIAC Reverse Engineering Malware (GREM) certification validates advanced skills in analyzing malicious software targeting Windows systems. It covers static and dynamic analysis, x86/x64 assembly interpretation, unpacking, anti-analysis bypass, malicious document triage, JavaScript and shellcode analysis, .NET reverse engineering, and YARA authoring. Based on SANS FOR610 training.

Questions

75 scored questions

Time Limit

180 minutes

Passing Score

73%

Exam Fee

$979 (GIAC (SANS) / ProctorU)

GREM Exam Content Outline

15%

Malware Analysis Fundamentals & Lab Setup

Isolated lab architecture, snapshots, network simulation (INetSim, FakeNet-NG), Windows and Linux analysis VMs, behavioral vs code analysis approaches, triage workflow, sample handling, and hashing (MD5/SHA-256)

15%

Static Analysis of Windows Executables

PE file structure, sections, imports/exports, strings, Detect It Easy (DiE), PEview, CFF Explorer, PE-bear, IDA Pro, Ghidra, x86/x64 disassembly, cross-references, control flow graphs, and identifying malicious indicators

15%

Dynamic Behavioral Analysis

Process Monitor, Process Hacker/Explorer, Regshot, Noriben, API Monitor, Wireshark, FakeNet-NG, ApateDNS, network simulation, registry and file system monitoring, and correlating host and network indicators

10%

x86/x64 Assembly for Reverse Engineers

Registers, stack frames, calling conventions (stdcall, cdecl, fastcall, x64), common opcodes, conditional branching, loops, function prologue/epilogue, and recognizing compiler idioms

10%

Anti-Analysis, Unpacking & Obfuscation

Anti-debug, anti-VM, anti-sandbox checks, timing and process tricks, packers (UPX, Themida, VMProtect, ASPack), manual unpacking with OllyDbg/x64dbg, ESP trick, scripted unpackers, and obfuscation patterns

10%

Malicious Document & Script Analysis

OLE compound documents, oletools (olevba, oleid, olemap), VBA macro analysis, PDF triage (peepdf, pdfid, pdf-parser), JavaScript de-obfuscation (box-js, malware-jail, jsunpack), HTA, LNK, and ISO/IMG container abuse

10%

Shellcode & Browser Exploit Analysis

Shellcode disassembly, scdbg emulation, blobrunner, speakeasy, position-independent code, egg hunters, API hashing, exploit kits, drive-by downloads, and CVE-mapped analyst workflow

10%

.NET and Managed Malware Reverse Engineering

dnSpy, ILSpy, dotPeek, IL analysis, de-obfuscation of ConfuserEx/de4dot, managed-to-native transitions, string decryption routines, and typical .NET loader patterns

YARA Rules & Threat Hunting

YARA syntax, strings and conditions, modules (pe, hash, math), rule optimization, retro-hunting, attribution, and integrating YARA with IR workflows

How to Pass the GREM Exam

What You Need to Know

Passing score: 73%
Exam length: 75 questions
Time limit: 180 minutes
Exam fee: $979

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GREM Study Tips from Top Performers

1Build a dedicated analysis lab with snapshotting, INetSim/FakeNet-NG, and both Windows and Linux REMnux VMs

2Memorize the PE file format — DOS header, NT headers, sections, imports, exports — and practice with PEview

3Master x86 and x64 calling conventions (stdcall, cdecl, fastcall) and stack frame layout

4Practice unpacking UPX manually in x64dbg using the ESP (stack pointer) trick

5Learn anti-debug tricks (IsDebuggerPresent, PEB flag, NtQueryInformationProcess) and how to bypass them

6Analyze malicious Office documents with oletools (olevba, oleid) and de-obfuscate VBA macros by hand

7De-obfuscate JavaScript with box-js and malware-jail — know when to prefer each

8Disassemble and emulate shellcode with scdbg and speakeasy; understand API hashing

9Reverse .NET samples in dnSpy and run de4dot against ConfuserEx-protected binaries

10Write YARA rules that balance specificity (minimal false positives) with flexibility (variant catching)

11Build a printed, tabbed, indexed reference book — GIAC exams are open book and speed matters

Frequently Asked Questions

What is the GIAC GREM exam format?

The GIAC GREM exam consists of 75 questions with a 180-minute (3-hour) time limit. The passing score is 73%. Questions include multiple choice and may include CyberLive hands-on practical components. The exam is open book — candidates can reference printed notes and an index. It is delivered via ProctorU online or Pearson VUE onsite.

How does GREM differ from GCIH and GCFA?

GCIH focuses on incident handling, GCFA on host forensics (including some memory and malware triage), and GREM on deep malware reverse engineering. GREM goes much deeper into assembly, unpacking, and code-level analysis than the other two. It is typically taken after candidates already hold GCIH or GCFA and want to specialize in malware analysis.

What tools are covered in the GREM exam?

Core tools include IDA Pro, Ghidra, x64dbg, OllyDbg, PEview, Detect It Easy, Process Monitor, Process Hacker, Regshot, Noriben, FakeNet-NG, INetSim, ApateDNS, oletools (olevba), box-js, malware-jail, scdbg, speakeasy, dnSpy, ILSpy, and YARA. Candidates should be comfortable pivoting between static and dynamic analysis workflows.

Is GREM open book?

Yes. Like other GIAC certifications, GREM is open book. Candidates are allowed to bring printed notes and reference materials into the exam. Building a well-indexed reference is a major study activity. No electronic devices (laptops, tablets, phones) are permitted during the exam.

What are the GREM renewal requirements?

GIAC certifications are valid for 4 years. Renewal requires earning 36 CPE credits or retaking the current version of the exam, plus paying a renewal fee ($479 as of 2026). CPEs can be earned through SANS training, publishing research, conference attendance, and relevant work experience.

How long should I study for GREM?

Plan for 120-180 hours of study over 8-12 weeks. Most candidates take SANS FOR610 first (6 days). Allocate significant time to hands-on labs: static analysis of benign and malicious binaries, unpacking UPX/Themida samples, JavaScript de-obfuscation, and writing YARA rules. A strong reverse engineering background shortens the timeline.

What jobs can I get with GREM certification?

GREM qualifies you for specialized roles: Malware Analyst ($100,000-160,000), Reverse Engineer ($110,000-170,000), Threat Researcher ($110,000-175,000), SOC Tier 3 ($100,000-150,000), and Incident Response Specialist ($100,000-160,000). It is widely required at threat intelligence vendors, government agencies, and large enterprises with dedicated malware analysis teams.