How to detect root kits

volatility -f /path/to/memory/dump.001 --profile=<profile> malfind > malfind-results.txt && grep Process: malfind-results.txt

This will give you a list of injected memory pages. Are any of those pages suspicious?

volatility -f /path/to/memory/dump.001 --profile=<profile> ssdt > ssdt-results.txt | grep -v 'ntos\|win32k'

This will give you a list of hooking modules that point outside of the Windows kernel, which should be suspicious.

volatility -f /path/to/memory/dump.001 --profile=<profile> malfind -p <pid of process> --dump-dir=./path/to/save/to/

This will dump the process so you can analyse it, run strings and such

volatility -f /path/to/memory/dump.001 --profile=<profile> modules > modules-results.txt

This will give you a list of loaded drivers, which could also contain malware. Most of these should be in System32\Drivers, so if it’s anything else it could be fishy. Use the Base address to extract it:

volatility -f /path/to/memory/dump.001 --profile=<profile> moddump -b <base address> --dump-dir=./

Another plugin to use is apihooks, but I’ve no experience with it. You’re supposed to look for “Hooking module: <unknown>”