I spent few times working on #AVBurner, a post exploitation tools used by #SnakeCharmer (aka "Earth Longzhi" by #trendmicro). This tool disables kernel callbacks. With my colleagues from @volexity, we wrote a small blog post explaining how it works. But also how to detect kernel callbacks manipulation by using #volatility. As #volshell supports MS symbols we are able to parse in memory kernel objects. More details here: https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-edr-nullifying-malware/