The discussion of user space hooks is not new. Actually, the leak tests of www.matousec.com
, always bypass user space hooks while doing intended operations. Hence almost everyone fails in Windows x64 in their tests( Except CIS ofcourse).
In the article, i dont see any bypass. The author just unhooked user space hooks which are used for various purposes however failed to demonstrate what sort of security leak is caused by this. What is bypassed i.e. what security leak did this unhooking cause? Did it allow the attacker to change a protected file? Protected key? etc. As i explained above, there are MANY counter defenses implemented in D+ which copes with these user space hooking issues.
The most significant of them is enhanced mode for example. The author intentionally or unknowingly, didn't mention Enhanced protection mode which is automatic when one switches to paranoid mode. They could not mention perhabs othrwise there would be nothing left to discuss.
Architecturally, user space hooks in CIS are used for compatibility and not for security as much as possible. As of today, CIS even in 64 bit operating systems offers full kernel based protection.