There are various types of rootkits in user mode, kernel mode, and even boot mode:
- Application rootkits: These replace the normal, legitimate application files or their shortcuts with a rootkit that ensures the malware is loaded and hidden from the user.
- Library rootkits: We covered library rootkits in Chapter 4, Inspecting Process Injection and API Hooking; they are user-mode rootkits that inject themselves into other processes and hook their APIs to hide the malware files, registry keys, and other Indicators of Compromise (IoCs) from these processes. They can be used to bypass AV programs, task managers, and more.
- Kernel-mode rootkits: We will be primarily covering these rootkits in this chapter. These rootkits are device drivers that hook different functions in kernel mode to hide the malware's presence and give the malware the power of kernel mode. They can also inject code and data into other processes, terminate AV processes, intercept network traffic, perform...