Hi,
You can absolutely do this but it is a lot of work and will require a
very high level of expertise.
1.) You will need to create a signed
ELAM driver[
^]. You can put your workstation in
Test Mode[
^] and generate a self-signed EKU certificate.
2.) You will need to create a system service that runs as a
protected service[
^].
3.) From the protected system service you may launch child processes which will run as a protected process. Note that protected processes cannot have any GUI threads.
All of the DLL's and executables involved need to be signed by the same certificate. You will need to generate special certificates with the 1.3.6.1.5.5.7.3.3 (codesigning) and 1.3.6.1.4.1.311.61.4.1 (early-launch) EKUs.
Something like this:
makecert.exe -a SHA256 -r -pe -ss YourCertStore -n "CN=YourTestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 -sr localmachine YourTestElam.cer
Good luck. There are a lot of missing steps in this brief summary.
Best Wishes,
-David Delaune