A rootkit is a set of tools that try to subversive the default behavior of the operation system to gain the power of root – the super user under Unix like.
Rootkit is something that known for more then 15 years it gain public to the end user as 2005 after some legit company uses it in their method of defense and as malware, viruses, writers started to use rootkit methods to hide their malware in the operation system.
Subverting Operation System behavior:
Using rootkit an attacker can change the default behavior of the operation system using some methods, rootkit can work in the user environment, aka user mode, and in the kernel environment aka kernel mode, prior to windows Vista the operation system kernel was more expose to kernel rootkit due to some less security checks ones the rootkit driver was installed and run on the operation system kernel.
There was an easy to use code that can be use to inject a driver to the windows operation system without passing the security checks and that was the easy way to inject rootkit drivers into the operation system.
change the default behavior of the operation system can be thought by an old open source rootkit call FU, that was develop in the Delphi programming language.
This rootkit use a driver to hide file on the system using a manipulation to the default behavior of the default File search function API, FindFileFirst and FindFileNext API call, using this rootkit and file that start with ‘_root_’ in its name was hiding to the function, and that was its way to hide files on the operation system.
Using methods like that a rootkit can hide most o f the objects on the windows operation system, like process, registry keys, services network connection and so on.