Process hiding is accomplished by removing a specific process entry from the process link list, just as our rootkit is removed from the device driver link list. The implementation provided in this section uses the process ID to find a process in the process link list and then sets the link pointers to remove the desired process entry. This design requires the process to tell the rootkit its process ID. Fortunately, our rootkit already has a local command interface mechanism, so implementation of this functionality will only require slight modifications to existing files, although one new file will be required to test process hiding functionality. This file is aptly named HideMe.c. Process hiding is shown in Figure 9-1.