< Day Day Up > |
In this chapter, we provided a lot of information about hooking tables of function pointers, both in userland and in the kernel. Kernel hooks are preferred, because if a detection/protection software suite is looking for your rootkit, you may employ all the power of the kernel to evade or defeat it. Kernel-level access provides a vast number of places to hide from or ways to defeat the enemy. Since stealth is a primary goal for your rootkit, filtering in some fashion is a must. Hooking is truly a dual-use technology. It is used by many public rootkits and other malicious software, but it is also used by anti-virus software and other host-protection products. |
< Day Day Up > |