This project demonstrates the use of apfnSimpleCall, a function pointer table inside win32kfull.sys (which is only partially protected by PatchGuard), to hijack a specific group of system calls. This allows a potentional attacker to maintain stealthier communication between a user mode application and kernel code.
https://lesnik.cc/mysyscall-hijacking-windows-system-calls-for-personal-use/