Rootkit is one or more toolkits used to hide and control a computer. This technology is increasingly used in some malware. Rootkit is more used to hide programs or processes in Windows-based systems. When the system is injected into Rootkit, it can perform certain operations without the user's awareness. Therefore, its concealment is very high, and its harm is also great. How the rootkit works: When an attacker wants to destroy a victim's computer, such as installing a backdoor program, he always leaves behind some clues, and the victim only needs to pass through some of them. Special operations, such as ps, can easily see the backdoor program running in the background, knowing that they have been attacked. In order to make the attack more covert, the attacker often repairs it. Changing system calls, such as modifying ls, netstat, etc., is the core of rootkit, which replaces the original common commands of the system and replaces them with executable files for their own special purposes. Here, we will implement a defensive Rootkit, which hides files in the system that people don't want to see, so as to achieve the purpose of confidentiality. Keywords: rootkit shell fork execl sysrq