Certified Ethical Hacker (CEH v11) — Question 334

Which rootkit is characterized by its function of adding code and/or replacing some of the operating-system kernel code to obscure a backdoor on a system?

Answer options

• A. User-mode rootkit
• B. Library-level rootkit
• C. Kernel-level rootkit
• D. Hypervisor-level rootkit

Correct answer: C

Explanation

The correct answer is C, Kernel-level rootkit, as it directly modifies the operating system kernel to conceal its presence and maintain a backdoor. User-mode and Library-level rootkits operate at a higher level, impacting user applications without altering the kernel itself, while Hypervisor-level rootkits manipulate the hypervisor layer, making them less directly involved with the kernel modifications.