diff --git a/presentations/dry-run/dry-run.qmd b/presentations/dry-run/dry-run.qmd
index 2e94d0e8e5bedff6ab4a39ad0c08a4137c133602..d67d9dfdd721f377a079125b91c4bb90edb407d7 100644
--- a/presentations/dry-run/dry-run.qmd
+++ b/presentations/dry-run/dry-run.qmd
@@ -83,6 +83,21 @@ ne générant pas de **_trap_**[^1]
 
 ## Rootkits
 
+::: {.callout-important}
+\small _"A set of software tools that enable an **unauthorized** user to **gain control**
+of a computer system **without being detected**"_ [^2]
+:::
+
+. . .
+
+| \textcolor{teal}{User mode}   | \textcolor{red}{Kernel mode} |
+|--------------- | --------------- |
+| `LD_PRELOAD` library hijacking | Syscall table _hooking_ |
+| Patching de binaire \footnotesize (e.g. `su`, `passwd`) | Injection de modules/pilotes malicieux \footnotesize(GNU/Linux, Windows) |
+
+
+[^2]: [Oxford English Dictionary, s.v. “rootkit (n.),” December 2024](https://doi.org/10.1093/OED/6892331220)
+
 ## Valeur offensive ajoutée par un hyperviseur
 
 # État de l'art
@@ -104,3 +119,7 @@ ne générant pas de **_trap_**[^1]
 ## _Timing analysis_
 
 # Conclusion
+
+# Références bibliographiques
+
+- [Rootkits: User Mode](https://www.infosecinstitute.com/resources/general-security/rootkits-user-mode-kernel-mode-part-1/)