A Kernel-level rootkit operates at the core of the operating system (OS kernel), enabling the attacker to:
Modify or replace kernel code
Load malicious kernel modules
Hide files, processes, and backdoors at a level that is difficult for standard security tools to detect
According to CEH v13:
Kernel-mode rootkits are highly stealthy and dangerous because they run with the highest privileges.
These rootkits modify system calls and memory structures in the kernel space to conceal malicious activity.
Incorrect Options:
A. User-mode rootkits operate at the application layer and are less stealthy than kernel-level rootkits.
B. Library-level rootkits manipulate standard libraries (like libc) to intercept calls.
D. Hypervisor-level rootkits run beneath the OS (e.g., via virtualization) and are extremely rare and complex.
Reference – CEH v13 Official Courseware:
Module 06: Malware Threats
Section: “Types of Rootkits”
Subsection: “Kernel-Mode Rootkits vs. User-Mode Rootkits”
