We'll now turn to the challenging world of rootkit detection. In general, you can detect a rootkit in one of two ways: either by signature or by behavior. Detecting by signature involves scanning the operating system for a particular rootkit trait (e.g., inline function hooks). Detecting by behavior involves catching the operating system in a "lie" (e.g., sockstat(1) lists two open ports, but a port scan reveals three).

In this chapter, you'll learn how to detect the different rootkit techniques described throughout this book. Keep in mind, however, that rootkits and rootkit detectors are in a perpetual arms race. When one side develops a new technique, the other side develops a countermeasure. In other words, what works today ...