The rootkit detection methods detailed in this chapter should give the rootkit designer a good understanding of the constraints imposed by existing detection technology. Your particular deployment environment might not require anti-detection functionality, but many rootkits will need to incorporate some, if not all, of the detection prevention techniques detailed in this chapter. Specifically, this chapter shows you how to do the following:
Prevent the detection of kernel system call table hooks
Prevent the detection of kernel trampoline hooking
Prevent the detection of user mode hooks
Prevent the detection of process hiding
Prevent the detection of file and/or registry key hiding
Prevent the detection of alternate data streams
The next chapter further expands upon rootkit design considerations by including anti-rootkit technology. This is the software that prevents the initial loading and running of a rootkit, as opposed to the detection of an already implanted rootkit.