The invention discloses a method and a device of detection processing of a core-level rootkit. The method comprises the following steps of A, pre-storing a new loading module node signature at a current node of a core module chain table, and storing a current node signature into a new loading module node; B, loading a new module, judging whether the signature stored in the new loading module node is matched with the current node signature or not, judging whether the signature stored in the current node is matched with the new loading module node signature or not, if one is not matched, preforming the step C; C, comparing a currently operational system call table with a spare system call table, if not consistent, generating a report of discovering a hidden module. According to the method and the device, invasion of the rootkit is detected by setting a mutually matching mechanism of the new loading module and the current node signature of the chain table, and the report is further affirmed through comparing the system call table with a spare reference file, so that the reliability of a detection result is improved, and meanwhile, through setting a system recovery method, safety operation of the system is ensured.