Abstract: With more and more attention being paid to the Rootkits technology in the fields of cyber-security, various new Anti-rootkits technologies have emerged continually. Under the detection of various Anti-rootkits tools,the conventional Rootkits stealth technology is difficulty to play its role. Based on systematic analysis and research of traditional kernel-level Rootkits stealth technology,this paper presented a three-in-one rootkits stealth technical architecture on the basis of driver module integral transposition,kernel threads injection and IRP inline Hook in depth. Experimental results show that the Rootkits based on this stealth architecture can well bypass the detection of some well-known Anti-rootkits tools (such as Rootkit Unhooker and IceSword) , which fully demonstrates the effectiveness of this three-in-one Rootkits stealth technical architecture.

Key words: Rootkits, Anti-rootkits, Driver module integral transposition, Kernel threads injection, IRP inline Hook in depth