I don't think it would need to be ring-0. Just hook ZwQuery and watch for the NULL input and then BPX on the return and modify the buffer that gets returned. Regardless of how "elegant" the solution is, nonetheless it is the solution. Remember, if you code your own debugger, you do not have to use int3's for breakpoints. You can use other things too, and I suggest you research into it some more. (how about using privileged exceptions, eh?). It makes your debugger even more undetectable. In fact, I think a worthy addition to Olly would be to allow for custom breakpoints (using a exception instruction of your own rather than INT3)

For example, all Olly has to do is allow you to set a memory read error breakpoint. Overwrite the code with "mov eax,[eax]" or something. Then Olly keeps an internal list of where that exception should occur. When the exception happens, it recognizes it from its internal list (if not found in the list it passes it back to the debugee). Then restores the original instructions.

I've built all my unpackers this way which makes them pretty much zero-detectable unless you know what type of "breakpoint" I'm using. Searching for 0xCC won't detect them. So just remember after you get Olly to work by hand (you can always just set a breakpoint on the RET of the function rather than the beginning of the function you know!) then you can go on to write you own tool, loader or unpacker, but make it better in those respects (by avoiding the use of INT3 breakpoints for example).

-Lunar