An overview of early (pre- Linux 3.0) rootkits and their tendency to
go deeper into the kernel to hook essential reporting functions:

http://www.cs.dartmouth.edu/~sergey/cs258/rootkits/talk.html

Read the code for Knark and Silvio Cesare's notes on patching live 
kernels (local copy: http://althing.cs.dartmouth.edu/local/vsc07.html)

Note that, as a part of its UDP backdoor functionality,  Knark makes an
execve() system call from the kernel (knark_execve_userprogram()), whereas
normally system calls expect their arguments to reside in userland; calling
a system call from a kernel context is thus non-trivial. Knark here
starts a kernel thread and simulates a user context by re-setting the
kernel threads FS segment selector to a value suitable for userland, but
setting the DS selector to kernel context (where the args extracted from
the special UDP packet still live). This can be quite brittle.

For full code of Knark and other early rootkits, see
http://althing.cs.dartmouth.edu/secref/resources/kernel/rootkits/

Observe the march of the rootkit hooks deeper into the kernel in
rootkits/phrack-59-5.html and rootkits/stories-phrack59-5/ (code examples).

Adore-ng (also in rootkits/) had the distinction of hooking VFS file operations
(and staying away from the sys_call_table, which, by then, was patrolled
by many defensive tools).

Hooking the Grub bootloader: http://phrack.org/issues/63/10.html

---------[ Mentioned papers: ]---------

"Subtleties of the ANSI/ISO C standard", by Robbert Krebbers, Freek Wiedijk, 
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1637.pdf

Infecting newer Linux kernel modules (it got harder with "version
magic" no longer permitting the loading of binary drivers):
http://www.phrack.org/issues/68/11.html