Copy-pasted methods from author of SysProt inspired by old Hoglunds book.
I can't find a source code to acknowledge this, but from ...
Summary of detection techniques in ARKit¶
Process detection methods:
* PID brute force
* TID brute force
Driver detection methods:
* PsLoadedModuleList traversing
* \Driver\ directory traversing in Object Manager
* \Device\ directory traversing in Object Manager
... I believe it is.
It is useless even against 3 years old demo rootkits and completely useless against malware rootkits.