In the article a new approach to detection of kernel- and user-mode rootkits has been described. Presented technique exploits the processor stepping mode to measure the number of instructions executed in system kernel and DLLs, in order to detect additional instructions inserted by malicious code, like rootkits, backdoors, etc... Implementation of simple detection utility for Windows 2000, which makes use of this technique, is also discussed.