Introduction. This paper describes the evolution of Windows kernel based rootkit techniques in the Rustock malware family. The paper first presents a brief history of hooking techniques used by previous versions, i.e., Rustock.A and Rustock.B and then a detailed analysis of Rustock.C. Most of these techniques are well published as kernel vulnerabilities. But, this paper correlates real implementation of those techniques to various versions of Rustock. .