Which rootkit replaces the original OS kernel and device driver codes?

Kernel-level rootkits operate by replacing the OS kernel and core device drivers, running inside the kernel space with full privileged access. By substituting the kernel and its drivers, this type can intercept and alter any system call, patch kernel data structures, and control hardware interfaces directly. That level of access makes it highly stealthy and persistent, able to hide processes, files, and network activity from standard security tools. In contrast, other rootkit types don't replace the kernel itself: hypervisor-based rootkits hide under a virtualization layer, boot loader level rootkits tamper with the boot process before the OS loads, and library-level rootkits replace user-space libraries rather than kernel code. Replacing the kernel and drivers is the defining feature of a kernel-level rootkit.