Call to driver load functions, including associated driver objects to be
loaded, are stalled and evaluated for indications of a rootkit. When a
rootkit is indicated, protective action is taken, and optionally a user
or system administrator are notified. Calls not indicative of a rootkit
are released and allowed to load. In one embodiment, calls to currently
loaded drivers and calls related to installation of new hardware, are
excluded from the evaluation for indications of a rootkit. In additional
embodiments, sensitive structures and calls to sensitive structures of a
computer system are also evaluated for indications of a rootkit.