I think it's about time D+ hooked NtGetNextProcess and NtGetNextThread (Vista+). These two system calls can completely bypass D+'s process handle protection. I've already emailed Matousec about it and unfortunately they cannot test it in SSTS because it is not compatible with Vista. When they do get SSTS on Vista though, it would be a disadvantage for CIS to start getting 50% instead of 100% for all the tests just because SSTS was able to obtain handles to CIS processes!
I couldn't make a test program for this though because even if you do get handles to CIS processes it is very difficult to terminate them.
Here are their definitions if anyone's unsure:
NTSTATUS NTAPI NtGetNextProcess(
NTSTATUS NTAPI NtGetNextThread(