[grugq]

Bringing your own static linked busybox will still evade that rootkit.

If the attacker has modified the environment to present a specific view of system state, bringing your own environment defeats it.

There are tricks which are better than modifying things to hide. For example, there is a race condition between opendir() and readdir() which you can win by using inotify(). Then you can unlink() whatever, wait a while, then link() it back in. During that time it will be deleted and thus invisible to any detection. (I saw a demo of this 12 years ago, so I might be misremembering a bit. I know it used inotify() and unlink())

[notepad0x90]

like a sibling comment mentioned, process injections can also happen. but besides that, if your busybox wasn't already on the system then what's the value of bringing it when you suspect a rootkit? userland or not, a memory acquisition for the system for off-box analysis (volatility) would be ideal and most reliable in my opinion.

[worthless-trash]

Not if your running processes infect running userspace processes.