I need to change the output buffer whenever a call to ZwDeviceIoControlFile is made. Is it possible to hook ZwDeviceIoControlFile from within a kernel mode driver in Windows 10 x64 while Patchguard is enabled? If not, could I maybe use ObRegister callbacks to change its output buffer?
Would like to know if someone ever succeeded with this on Windows x64 while PG is enabled.
I ended up writing a Hypervisor and using EPT to hide the actual hook when PG does a read operation on the region. I am able to fully hook kernel APIs without PG noticing on Win 10 x64.