Have been learning about rootkits recently and have noticed this hooking techniques that kernel-land rootkits use in order perform malicious actions.
Where an typical hooking operation would be to hook on to a legitimate system call, and then replace the legitimate action with the malicious action first, before actually calling the legitimate action.
But if that is the case why not make the system call table to be unmodifiable from the start?
