Even if you have debug privilege enabled you cannot do much with those processes. But they can be patched in a controlled manner. Enable loaddriver and debug privilege, open target process (most known protected process is audiodg.exe)
for allowed access (e.g. PROCESS_QUERY_LIMITED_INFORMATION; MAXIMUM_ALLOWED doesn't work) prepare valid SYSTEM_HOTPATCH_CODE_INFORMATION.InjectionInfo and call SystemHotpatchInformation with (your) dll. LdrHotpatchRoutine thread is created (even if the process handle doesn't grant create_thread access) in protected process and dll is about to be loaded. But there's no simple image mapping, here comes Code Integrity 'subsystem' represented by CI.dll that is km dll with few exports and that will calculate image hash and compare it with value(s) stored in 'catalogs'. If there isn't match, it returns with {// The hash for image %hs cannot be found in the system catalogs. The image is likely corrupt or the victim of tampering.
//
#define STATUS_INVALID_IMAGE_HASH ((NTSTATUS)0xC0000428L) }.
CI.dll is quite interesting piece of code even such exported function as CiGetPEInformation does sidt and mov eax,dr7 (x86) in its prologue.
All in all, the patching dll's hash must be in catalogs. If it is not, it is not mapped into protected process.


https://www.openrce.org/blog/view/352/Working?_with_protected_processes_in_NT_6