At the end of all my tests the most reliable way I found to ovecome this test and other similars too (all which are based on a system API generally) is to patch the API to always return a friendly result (friendly fo us ^_^).
For example when writing a debug loader I added some operations to essentialy find the ntdll loading base addressof the victim, get the export I want to patch and patch its ealy bytes.
For ZwQueryObject I patched it as following
Code:
7C91E0D8 > 83FF 00 CMP EDI,0
7C91E0DB 74 06 JE SHORT ntdll.7C91E0E3
7C91E0DD C707 00000000 MOV DWORD PTR DS:[EDI],0
7C91E0E3 B8 00000000 MOV EAX,0
7C91E0E8 C2 1400 RETN 14
when EDI is not NULL the patch set to zero the address pointed by EDI and set EAX to 0, otherwhise only returns EAX=0.