Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft

This technical primer surveys Linux rootkits: their goals (persistence and stealth), evolution from userland LD_PRELOAD tricks to modern kernel-resident implants abusing eBPF and io_uring, and detailed hooking techniques (syscall table, inline prologue patching, VFS hooks, ftrace, kprobes, and more). It catalogs loader and payload models, cites real-world examples, discusses detection challenges and defensive opportunities, and previews a follow-up focused on detection engineering.