Rootkits modify the internal functionality of the OS to conceal their existence. These modifications can hide files, processes, network connections, and other resources from running programs, making it difficult for antivirus products, administrators, and security analysts to discover malicious activity.

The majority of rootkits in use operate by somehow modifying the kernel. Although rootkits can employ a diverse array of techniques, in practice, one technique is used more than any other: System Service Descriptor Table hooking. This technique is several years old and easy to detect relative to other rootkit techniques. However, it’s still used by malware because it’s easy to understand, flexible, and straightforward to implement.

The ...