Rootkits - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki
What Are Rootkits
A Rootkit is a type of malicious software designed to gain and maintain privileged access to a system while actively hiding its presence. Rootkits can operate at different levels of a system, which includes, kernel mode, firmware, and hardware.
Kernel Rootkits
Kernel Rootkits operate with system level privilges in the inner most ring of the kernel (Ring 0). This type of malware can intercept and modify system calls. This allows the malware to control many aspects of the system it is running on allowing it to hide itself and maintain control over a system. Rootkits can also operate in the user level (Ring 3) but do not have as much privileges.
Firmware Rootkits
Firmware rootkits reside in the low-level firmware of hardware components, such as BIOS, UEFI, network cards, graphics cards, and even hard drives. These rootkits do not depend on the operating system, making them persistent and difficult to detect or remove.
Bootkits
A bootkit is an advanced form of rootkit that infects the boot process of a system, allowing attackers to execute malicious code before the operating system (OS) loads. This early execution makes bootkits extremely persistent and difficult to detect, as they operate outside the OS and can evade traditional security measures.