Set of code that allows someone to control aspects of the host
operating system without revealing it’s presence.
Joseph Kong, Designing BSD Rootkits
A rootkit gives you the ability to hide files, processes and programs as
if they were never installed on the computer. It can be used to:
hide files from user or OS.
In 2005, Sony published musc CD’s with a copy-protection software called
“Extended Copy Protection (XCP)”. This was automatically installed after
accepting the EULA. File, processes, registry keys and directories
starting with $sys$ were ‘invisible’. This technique was later used by
actual malware (Breplibot).
Hacker Defender (hxdef) is a rootkit for Microsoft Windows operating
systems. It enables processes, files and registry keys to be hidden from
system adminstrators and security scanning tools.
system calls (create or override)
TTY line disciplines
Loadable kernel modules are much faster to maintain and debug. They are
not much slower then base kernel modules.
Hooking is a programming technique that employs handler functions to
modify control flow. When applied to system calls, this technique is
often called “syscall hijacking”.
Locating the address of the syscall table in memory.