drop kernel object dump · detect missing/removed registry/process callbacks · runs locally
PspCreateProcessNotifyRoutine · CmRegisterCallback · null slots · baseline differential
heuristic screener · parses artifacts locally · not definitive proof of rootkit callback removal