If u have implement any rootkits, u will know that the best way to do it IS NOT hook at the syscall level (eg, because "sys_read" can be used for so many purposes). Instead, it is much better to do it at the lower level (eg, VFS layer). But if u can hook the syscall table, and so can u unpatch the patch that Arjan has put in to protect the syscall table. And likewise, many other techniques like making the ".text" region read-executable only, is really a joke - because u can easily undo it if u are a rootkit. Eg, ftrace have to make the region writeable momentarily and then switching it back to readonly - exactly the same sequence of steps can be executed by the rootkit kernel module as well. In general "rootkit" means that the system is alreayd 0wned (or compromised). Comments?