Rootkits in particular are known for their stealthiness, and they sometimes go to great lengths to conceal their presence, as Russinovich explains: Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs…. According to his writeup, the XCP driver is indiscriminant about what it conceals: I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”…. For example, some users are granted “administrator” or “root” level access—full control of the system—while others may be given more limited authority that allows them to perform every day tasks but prevent them from damaging other users’ files or impairing the operation of the computer.
…If every user on a system has administrator access, any malicious programs that become installed can put up their own cloaking mechanisms using the same techniques that XCP2 uses…. Later, if one of the unprivileged users installs some malware, it can use the XCP2 driver to hide itself from the user and the Administrator, even though it wouldn’t have permission to perform such cloaking on its own.
