Each time the kernel is compiled, a file containing the map of kernel symbols and addresses is created (System.map). Comparing the addresses of syscalls in the System.map with the addresses in the syscall table during runtime detects if system calls have been redirected, which may be an indication that the kernel has been compromised by a rootkit.