When a rootkit is installed, it replaces certain system calls and utilities with its own, modified versions of those routines.

For example, to hide the existence of a file, the rootkit must intercept all system calls that can carry a file name argument, such as open(), chdir() and unlink().

Anytime a call is made to one of these specified system functions, the call is redirected to the modified routine, which checks on the parameters being passed. If the request won't involve or reveal the hidden file, then the "normal" system call is made and results are reported as expected.

However, if the hidden data might be revealed, the rootkit's modified call is used instead so that it can suppress any unwanted output.

If the user or system attempts to manipulate a hidden process, file, network port, etc., then the modified command must report a failure, just as the normal command would if the object did not in fact exist.