The term rootkit is used to describe the mechanisms and techniques where malicious programs, including viruses, spyware and trojans, try to hide from antivirus and antispyware programs. There are various categories of rootkits depending on whether the malicious program continues to exist after restarting the computer and whether the rootkit program operates at the user or kernel level.
A permanent rootkit is associated with a malicious program that is activated every time the computer starts. Since such a code must be activated automatically whenever the computer starts or when the user logs on, the code must be stored in a permanent location on the computer, such as the Registry Start-up or the file system, and find a way to activate itself without user intervention.
Memory Resident Rootkits
The rootkits resident in Memory are malicious programs that are not permanent code and are not activated after restart.
Rootkits operating at the user level
There are many ways in which rootkits attempt to avoid detection. For example, a rootkit at the user level can detect all calls to the APIs of Windows FindFirstFile / FindNextFile, which are used by management functions of the system files, such as the Explorer and the command line. When an application performs a cataloguing function that will return results containing records related to the rootkit, the
rootkit intervenes and modifies the results of cataloguing to avoid detection.
Rootkits operating at the Kernel level
The rootkits at the Kernel level, are even more powerful since not only get inserted in the native API kernel level, but can also directly handle data structures at the kernel level. A common technique for hiding the presence of a malicious program / process is the removal of the malicious program from active processes in the kernel process list. Since the APIs handle processes based on the contents of this kernel list, the malicious process would not be visible to management tools such as Task Manager or Process Explorer.