These types of kernel changes are relatively easy to detect, because they alter normally unchanging kernel tables to replace the addresses of code segments. Far more sophisticated techniques are available.

SIDEBAR

A Simple Rootkit Example

An important element of a kernel rootkit is its ability to hide itself and cover up what is really going on. Here's one way that some rootkits do that.

When a rootkit is installed, it replaces certain system calls and utilities with its own, modified versions of those routines.