drop ntdll / clr region scan · detect etw patching bytes in ntdll!EtwEventWrite · runs locally
ret/xor eax patches · jmp hooks at EtwEventWrite · CLR ETW blind · Volatility apihooks text
heuristic screener · parses artifacts locally · not definitive proof of ETW tampering