how to find nt!KeServiceDescriptorTableFilter

Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread:
     test    dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3
     jnz     short loc_6CAD9D
...
loc_6CAD9D:
     mov     dword ptr [esi+3Ch], offset _KeServiceDescriptorTableFilter

But we can use signatures search for part of test dword ptr [edi+2E8h], 18000h.
We first need to find offset to EPROCESS.Flags3. This can be done from exported function PsIsProcessCommitRelinquished:
  mov     edi, edi
  push    ebp
  mov     ebp, esp
  mov     eax, [ebp+arg_0]
  mov     eax, [eax+2E8h]
  shr     eax, 12h
  and     al, 1

nothing special, bit of disasm and we have EPROCESS.Flags3 offset YYXX. Next search bytes
XX YY 00 00 00 80 01 00
in PAGE section. Follow jnz and you`ll get KeServiceDescriptorTableFilter