A rootkit can trivially hide wherever it likes if module loading is enabled: rootkits don't
respect the exportedness of symbols.
(Most common rootkits can inject themselves by banging directly on /dev/mem. It will be good
to finally eliminate the ability to write to that device... come on pci-rework, we want X to
not depend on /dev/mem anymore :) )